git » mariadb.git » commit 9a5a8f8

create a fully locked system account

author Christian Hesse
2025-01-01 21:38:31 UTC
committer Christian Hesse
2025-01-01 22:05:47 UTC
parent 2de6ad2c30e294f94fbcc17a5d2d14c9c62554ea
create a fully locked system account

https://archlinux.org/todo/change-sysusers-to-fully-locked-system-accounts/
.SRCINFO +1 -1
0001-arch-specific.patch +28 -18
PKGBUILD +1 -1 
diff --git a/.SRCINFO b/.SRCINFO
index 32b39aa..a951aaf 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -40,7 +40,7 @@ pkgbase = mariadb
 	sha256sums = SKIP
 	sha256sums = SKIP
 	sha256sums = SKIP
-	sha256sums = 08c2c661159f4a7c54a764bb13459e37cbccdf98a93c2cf151d53f600f1fa35d
+	sha256sums = cb22088c50f6deea0b3858180514cad905304794e4f1e5752f03702eae10c353
 
 pkgname = mariadb-libs
 	pkgdesc = MariaDB libraries
diff --git a/0001-arch-specific.patch b/0001-arch-specific.patch
index 90e0af3..3b76a19 100644
--- a/0001-arch-specific.patch
+++ b/0001-arch-specific.patch
@@ -1,7 +1,7 @@
-From f7f319cc00c5c7a9cfaad918989995543295474f Mon Sep 17 00:00:00 2001
+From e98a5576fec05ddadd3c17c3e39f437313ea3e84 Mon Sep 17 00:00:00 2001
 From: Christian Hesse <mail@eworm.de>
 Date: Wed, 19 Feb 2020 13:10:17 +0100
-Subject: [PATCH 1/3] enable PrivateTmp for a little bit more security
+Subject: [PATCH 1/4] enable PrivateTmp for a little bit more security
 
 ---
  support-files/mariadb.service.in  | 2 +-
@@ -9,10 +9,10 @@ Subject: [PATCH 1/3] enable PrivateTmp for a little bit more security
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
-index e47a67f6880..54cd9776e41 100644
+index 0aa157d930a..dd26ba23689 100644
 --- a/support-files/mariadb.service.in
 +++ b/support-files/mariadb.service.in
-@@ -129,7 +129,7 @@ UMask=007
+@@ -132,7 +132,7 @@ UMask=007
  
  # If you don't use the /tmp directory for SELECT ... OUTFILE and
  # LOAD DATA INFILE you can enable PrivateTmp=true for a little more security.
@@ -34,14 +34,11 @@ index 31f1586f1bf..b7094662bbd 100644
  
  # Set an explicit Start and Stop timeout of 900 seconds (15 minutes!)
  # this is the same value as used in SysV init scripts in the past
--- 
-2.46.0
 
-
-From e88246b9f23f4b1a0879c494efe0d8703069e1ec Mon Sep 17 00:00:00 2001
+From bf001bae76cbf104fc348a78a41470842803c190 Mon Sep 17 00:00:00 2001
 From: Christian Hesse <mail@eworm.de>
 Date: Wed, 19 Feb 2020 13:10:46 +0100
-Subject: [PATCH 2/3] force preloading jemalloc for memory management
+Subject: [PATCH 2/4] force preloading jemalloc for memory management
 
 ---
  support-files/mariadb.service.in  | 1 +
@@ -49,10 +46,10 @@ Subject: [PATCH 2/3] force preloading jemalloc for memory management
  2 files changed, 2 insertions(+)
 
 diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
-index 54cd9776e41..6b9eec7dbc5 100644
+index dd26ba23689..f2495ca24e9 100644
 --- a/support-files/mariadb.service.in
 +++ b/support-files/mariadb.service.in
-@@ -165,6 +165,7 @@ LimitNOFILE=32768
+@@ -168,6 +168,7 @@ LimitNOFILE=32768
  # Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths
  # (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD).
  # Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD=
@@ -72,14 +69,11 @@ index b7094662bbd..c6f1605276e 100644
  
  # Flush caches. previously [mysqld_safe] flush-caches=1
  # ExecStartPre=sync
--- 
-2.46.0
-
 
-From 805eab247057095b013cda026ab211e9805177da Mon Sep 17 00:00:00 2001
+From 80062512cd56469fcd12642e4d4fc921ff765043 Mon Sep 17 00:00:00 2001
 From: Christian Hesse <mail@eworm.de>
 Date: Wed, 19 Feb 2020 13:11:31 +0100
-Subject: [PATCH 3/3] Make systemd-tmpfiles create MYSQL_DATADIR
+Subject: [PATCH 3/4] Make systemd-tmpfiles create MYSQL_DATADIR
 
 This is a no-op if the directory exists, but makes sure it is created by
 systemd-tmpfiles with proper permissions otherwise.
@@ -102,6 +96,22 @@ index 70de7a12fdb..101b37f306a 100644
  @DISABLE_TMP@d @MYSQL_UNIX_DIR@ 0755 @MYSQLD_USER@ @MYSQLD_USER@ -
 +d @MYSQL_DATADIR@ 0700 @MYSQLD_USER@ @MYSQLD_USER@ -
 +h @MYSQL_DATADIR@ - - - - +C
--- 
-2.46.0
 
+From 82885423eac8826a9aae172e92e3e9b21da20a9c Mon Sep 17 00:00:00 2001
+From: Christian Hesse <mail@eworm.de>
+Date: Wed, 1 Jan 2025 22:30:45 +0100
+Subject: [PATCH 4/4] create a fully locked system account
+
+https://github.com/systemd/systemd/blob/v257/NEWS#L767-L777
+https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html#u
+---
+ support-files/sysusers.conf.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/support-files/sysusers.conf.in b/support-files/sysusers.conf.in
+index a975b29476a..e2d1608bc6e 100644
+--- a/support-files/sysusers.conf.in
++++ b/support-files/sysusers.conf.in
+@@ -1 +1 @@
+-u @MYSQLD_USER@ - "MariaDB" @MYSQL_DATADIR@
++u! @MYSQLD_USER@ - "MariaDB" @MYSQL_DATADIR@
diff --git a/PKGBUILD b/PKGBUILD
index fa5cbe0..0369492 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -33,7 +33,7 @@ sha256sums=('41c74391ad5bbbcb131632d70c7d0dbe3acc48e87eaa8718e153b023b69a73ee'
             'SKIP'
             'SKIP'
             'SKIP'
-            '08c2c661159f4a7c54a764bb13459e37cbccdf98a93c2cf151d53f600f1fa35d')
+            'cb22088c50f6deea0b3858180514cad905304794e4f1e5752f03702eae10c353')
 
 prepare() {
   cd mariadb/