From edd10c12f76145decf19f81e9c86ad5ad4a01c0e Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Fri, 17 May 2019 00:13:29 +0200 Subject: [PATCH] nixos/mysql: run as mysql user and group As we don't need to setup data directories from ExecStartPre= scripts anymore, which required root, but use systemd.tmpfiles.rules instead, everything can be run as just the mysql user. --- nixos/doc/manual/release-notes/rl-1909.xml | 11 +++++++++++ nixos/modules/services/databases/mysql.nix | 2 ++ 2 files changed, 13 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 60b4a3bc17b6..ef2b1d341893 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -161,6 +161,17 @@ The hunspellDicts.fr-any dictionary now ships with fr_FR.{aff,dic} which is linked to fr-toutesvariantes.{aff,dic}. + + + + The mysql service now runs as mysql + user. Previously, systemd did execute it as root, and mysql dropped privileges + itself. + This includes ExecStartPre= and + ExecStartPost= phases. + To accomplish that, runtime and data directory setup was delegated to + RuntimeDirectory and tmpfiles. + diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 7b097e95e14b..97e58fd228f4 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -326,6 +326,8 @@ in ''; serviceConfig = { + User = cfg.user; + Group = "mysql"; Type = if hasNotify then "notify" else "simple"; # /run/mysqld needs to be created in addition to pidDir, as they could point to different locations RuntimeDirectory = "mysqld";