maria-discuss team mailing list archive

Thread
Date

Re: Why does MariaDB needs SELinux capability for setuid/setgid?

To: Lukas Javorsky <ljavorsk@xxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Fri, 12 Mar 2021 12:15:26 +0100
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAK719L0B2FnodjU9BgYJsWMdH6y-pSLhedr-0T6JFd0jr0HQaw@mail.gmail.com>

Hi, Lukas!

> I found that setuid/setgid is used inside mysqld_safe_helper
> (mariadbd-safe-helper).
> Are there any other cases when MariaDB uses these functions?

Yes, in the server. If the server is started with --memlock it does

  mlockall(MCL_CURRENT)

to prevent itself from being swapped. This needs root, and the server
uses setuid/setgid to drop root privileges after mlockall.

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx

Follow ups

Re: Why does MariaDB needs SELinux capability for setuid/setgid?
From: Daniel Black, 2021-03-13

References

Why does MariaDB needs SELinux capability for setuid/setgid?
From: Lukas Javorsky, 2021-03-12