diff --git a/cmake/systemd.cmake b/cmake/systemd.cmake index 404441be747..a093b89f3c8 100644 --- a/cmake/systemd.cmake +++ b/cmake/systemd.cmake @@ -57,15 +57,6 @@ MACRO(CHECK_SYSTEMD) # ProtectSystem=full prevents it ReadWritePaths=-${MYSQL_DATADIR}\n") ENDIF() - # systemd version 245 (Ubuntu 20.04) and less cannot - # handle ambient capbilities on non-root processes - # 247 (Debian 11) is a version afterwards that is known to work. - IF(LIBSYSTEMD_VERSION VERSION_GREATER_EQUAL 247) - SET(SYSTEMD_AMBIENT_CAPABILITIES -"# CAP_IPC_LOCK To allow --memlock to be used as non-root user -AmbientCapabilities=CAP_IPC_LOCK -") - ENDIF() MESSAGE_ONCE(systemd "Systemd features enabled") ELSE() diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index 7ae0278dc44..f53a0b8ceda 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -47,7 +47,10 @@ PrivateNetwork=false User=mysql Group=mysql -@SYSTEMD_AMBIENT_CAPABILITIES@ +# CAP_IPC_LOCK To allow memlock to be used as non-root user +# These are enabled by default +AmbientCapabilities=CAP_IPC_LOCK + # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # does nothing for non-root, not needed if /etc/shadow is u+r # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index 4095f04b800..cb5e885e1aa 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -177,7 +177,10 @@ PrivateNetwork=false ## Package maintainers ## -@SYSTEMD_AMBIENT_CAPABILITIES@ +# CAP_IPC_LOCK To allow memlock to be used as non-root user +# These are enabled by default +AmbientCapabilities=CAP_IPC_LOCK + # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # does nothing for non-root, not needed if /etc/shadow is u+r # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason