nixos/mysql: run as mysql user and group

As we don't need to setup data directories from ExecStartPre= scripts
anymore, which required root, but use systemd.tmpfiles.rules instead,
everything can be run as just the mysql user.
This commit is contained in:
Florian Klink 2019-05-17 00:13:29 +02:00
parent 25494cc193
commit edd10c12f7
2 changed files with 13 additions and 0 deletions

View file

@ -162,6 +162,17 @@
which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>mysql</literal> service now runs as <literal>mysql</literal>
user. Previously, systemd did execute it as root, and mysql dropped privileges
itself.
This includes <literal>ExecStartPre=</literal> and
<literal>ExecStartPost=</literal> phases.
To accomplish that, runtime and data directory setup was delegated to
RuntimeDirectory and tmpfiles.
</para>
</listitem>
</itemizedlist>
</section>
</section>

View file

@ -326,6 +326,8 @@ in
'';
serviceConfig = {
User = cfg.user;
Group = "mysql";
Type = if hasNotify then "notify" else "simple";
# /run/mysqld needs to be created in addition to pidDir, as they could point to different locations
RuntimeDirectory = "mysqld";