suzanne.soy/nixpkgs
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

nixos/mysql: run as mysql user and group

Browse Source 
As we don't need to setup data directories from ExecStartPre= scripts
anymore, which required root, but use systemd.tmpfiles.rules instead,
everything can be run as just the mysql user.
This commit is contained in:
Florian Klink 2019-05-17 00:13:29 +02:00
parent 25494cc193
commit edd10c12f7
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
nixos/doc/manual/release-notes/rl-1909.xml
View File

@ -161,6 +161,17 @@
The <literal>hunspellDicts.fr-any</literal> dictionary now ships with <literal>fr_FR.{aff,dic}</literal> The <literal>hunspellDicts.fr-any</literal> dictionary now ships with <literal>fr_FR.{aff,dic}</literal>
which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>. which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>.
</para> </para>
</listitem>
<listitem>
<para>
The <literal>mysql</literal> service now runs as <literal>mysql</literal>
user. Previously, systemd did execute it as root, and mysql dropped privileges
itself.
This includes <literal>ExecStartPre=</literal> and
<literal>ExecStartPost=</literal> phases.
To accomplish that, runtime and data directory setup was delegated to
RuntimeDirectory and tmpfiles.
</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>

2
nixos/modules/services/databases/mysql.nix
View File

@ -326,6 +326,8 @@ in
''; '';
serviceConfig = { serviceConfig = {
User = cfg.user;
Group = "mysql";
Type = if hasNotify then "notify" else "simple"; Type = if hasNotify then "notify" else "simple";
# /run/mysqld needs to be created in addition to pidDir, as they could point to different locations # /run/mysqld needs to be created in addition to pidDir, as they could point to different locations
RuntimeDirectory = "mysqld"; RuntimeDirectory = "mysqld";