On 11/12/22 14:09, Daniel Black wrote:
So what Fedora does is a prep script called at StartPre on their systemd service. https://src.fedoraproject.org/rpms/mariadb/blob/rawhide/f/mariadb-prepare-db-dir.sh Which even recently was seen as bloated (https://lists.launchpad.net/maria-discuss/msg06376.html). What could be done is a oneshot (https://www.redhat.com/sysadmin/systemd-oneshot-service) service before MariaDB/MySQL that does the installation. Either installation or startup triggered. At least on TMPDIR side, the systemd side PrivateTmp is default (https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=) for at least the oneshot service. The option for loading files into MariaDB was the only reason this wasn't set in the default MariaDB systemd file.
During today's FreedomBox meet, we have discussed that systemd'd PrivateTmp= is a better solution than libpam-tmpdir for FreedomBox at least as systemd makes a cleaner mount isolation between processes instead of managing directories and permissions.
For this reason, we believe that we can stop using libpam-tmpdir if most of the daemons on the system use PrivateTmp=yes. For a while now, FreedomBox has been forcefully adding systemd security features to daemons that don't enable them. Without upstream blessing, we can only do this for smaller applications than something like MariaDB/MySQL due the testing effort needed.
How User= systemd directives work with lbpam-tmpdir I'm not sure, however without a setuid there shouldn't be an invalid TMPDIR env variable there.
libpam-tmpdir does not seem to effect systemd's process execution. See the following session on system with libpam-tmpdir installed:
$ sudo --user mysql /usr/bin/bash -c 'echo TMPDIR=$TMPDIR' TMPDIR=/tmp/user/119 $ sudo systemd-run --pipe --uid=mysql /usr/bin/bash -c 'echo TMPDIR=$TMPDIR' Running as unit: run-u30.service TMPDIR=$ sudo systemd-run --pipe --property=PrivateTmp=yes --uid=mysql /usr/bin/bash -c 'echo TMPDIR=$TMPDIR'
Running as unit: run-u31.service TMPDIR= -- Sunil
Attachment:
OpenPGP_0x36C361440C9BC971.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature