nixos/mysql: run as mysql user and group

As we don't need to setup data directories from ExecStartPre= scripts anymore, which required root, but use systemd.tmpfiles.rules instead, everything can be run as just the mysql user.
2019-05-17 00:13:29 +02:00 · 2019-05-17 00:13:29 +02:00 · edd10c12f7
commit edd10c12f7
parent 25494cc193
2 changed files with 13 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@ -161,6 +161,17 @@
      The <literal>hunspellDicts.fr-any</literal> dictionary now ships with <literal>fr_FR.{aff,dic}</literal>
      which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>.
    </para>
+  </listitem>
+  <listitem>
+    <para>
+      The <literal>mysql</literal> service now runs as <literal>mysql</literal>
+      user. Previously, systemd did execute it as root, and mysql dropped privileges
+      itself.
+      This includes <literal>ExecStartPre=</literal> and
+      <literal>ExecStartPost=</literal> phases.
+      To accomplish that, runtime and data directory setup was delegated to
+      RuntimeDirectory and tmpfiles.
+    </para>
   </listitem>
  </itemizedlist>
 </section>
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@ -326,6 +326,8 @@ in
        '';

        serviceConfig = {
+          User = cfg.user;
+          Group = "mysql";
          Type = if hasNotify then "notify" else "simple";
          # /run/mysqld needs to be created in addition to pidDir, as they could point to different locations
          RuntimeDirectory = "mysqld";