MDEV-39480 sysusers.d: lock mysql user and use non-login account metadata#5012
MDEV-39480 sysusers.d: lock mysql user and use non-login account metadata#5012aquilamacedo wants to merge 1 commit intoMariaDB:mainfrom
Conversation
…data Use u! for @MYSQLD_USER@ and set the account home and shell to /nonexistent and /bin/false instead of using the data directory as the home. This makes the mysql account explicitly non-interactive and avoids using the datadir as login-related account metadata.
gkodinov
added
the
External Contribution
gkodinov
left a comment
gkodinov
left a comment
There was a problem hiding this comment.
Thank you for your contribution! This is a preliminary review.
LGTM. Please stand by for the final review.
|
Thanks @gkodinov for quick review! Really nice to see the upstream contribution pipeline flow this well. I now updated the metadata of this and other patches in Debian as there has been so much progress in upstreaming them: https://salsa.debian.org/mariadb-team/mariadb-server/-/commit/1c4223d59d801c564f9c7655727ea3fc1cf00bf6 |
|
The |
|
Changing homedir has impacts too: https://github.com/devexp-db/mysql-selinux/pull/11/changes - so this is krb auth for mysql. It would also mean config files in ~mysql/.my.cnf is no longer read. |
4 participants
Use
u!for@MYSQLD_USER@and set the account home and shell to/nonexistentand/bin/falseinstead of using the data directory as the home.This makes the
mysqlaccount explicitly non-interactive and avoids using the datadir as login-related account metadata.