Your message dated Thu, 18 Dec 2025 11:39:27 -0800
with message-id
<caou6taavnpjskuk-waowvg76u_0sphtlf+9evrtoyaiixnu...@mail.gmail.com>
and subject line Re: [debian-mysql] Bug#1117874: Bug#1117874: Bug#1117874:
mariadb-server: UMask has no effect on UNIX socket permissions (always 0777) of
/run/mysqld/mysqld.sock
has caused the Debian Bug report #1117874,
regarding mariadb-server: UMask has no effect on UNIX socket permissions
(always 0777) of /run/mysqld/mysqld.sock
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117874: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117874
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mariadb-server
Version: 1:11.8.3-0+deb13u1
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I have observed that the UNIX socket `/run/mysqld/mysqld.sock` is **always
created with permissions 0777 (srwxrwxrwx)**, regardless of the `UMask` setting
in the systemd unit or the shell environment.
What led up to the situation?
- After installing MariaDB 11.8.3-0+deb13u1 on Debian 13.1 (Trixie), I noticed
that the socket permissions are always 0777 after every (re)start.
- The systemd unit at `/lib/systemd/system/mariadb.service` sets `UMask=007` by
default (only three digits!), but this setting has **no effect at all** on the
socket file's permissions.
- There was **no custom configuration**, neither on my physical server nor in
my WSL environment.
What exactly did you do (or not do) that was effective (or ineffective)?
- On both systems, I used the default installation and unit files.
- I restarted MariaDB via systemd with the default unit (UMask=007) — socket is
0777.
- I set UMask=0027 and UMask=077 (and tried various other values) in an
override unit, did `systemctl daemon-reload` and restart — socket is still 0777.
- I manually started the daemon via `mysqld_safe` with different umask settings
in the shell — always 0777.
- I verified this on **two independent systems**:
1. A physical Debian 13.1 server
2. A completely fresh WSL Debian 13.1 environment
→ Both show exactly the same behavior, with **no manual configuration
changes**.
What was the outcome of this action?
- In all cases, the socket was always created with mode 0777 (srwxrwxrwx).
- Restricting access via UMask in the unit file, or at the shell, had no effect.
What outcome did you expect instead?
- That the UNIX socket permissions would respect the `UMask` setting in the
systemd unit (e.g. 0770 or 0660), as is best practice for multi-user systems
and as set by other daemons (Postgres, Redis, Dovecot, ...).
Other notes:
- This is a significant security and policy issue:
- The current setup allows **all local users** to connect to the socket file,
even if not in the `mysql` group.
- It contradicts the intention of the systemd unit (which sets UMask=007 **by
default**).
- There is **no documentation** warning of this behavior.
- The behavior is **identical** across different environments and fresh
installations.
- There is currently no way to configure the UNIX socket file permissions via
any MariaDB option (my.cnf, mysqld), nor via the systemd service unit or UMask.
The file mode is always set to 0777 and cannot be changed or restricted by any
documented setting.
References:
- This issue has a long-standing history upstream:
- See [MySQL Bug #15105 (2005): mysqld ignores umask when creating its unix
socket](https://bugs.mysql.com/bug.php?id=15105)
(The bug was marked "by design" years ago, but this is now a security and
policy issue in modern multi-user setups.)
System Information:
- Debian Release: 13.1 (Trixie)
- MariaDB Version: 11.8.3-0+deb13u1
- systemd unit: /lib/systemd/system/mariadb.service (UMask=007, default!)
- AppArmor: enabled
- Tested on:
- Physical server (no custom config)
- WSL Debian environment (brand new, no manual config)
-- System Information:
Debian Release: 13.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.48+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mariadb-server depends on:
ii adduser 3.152
ii debconf [debconf-2.0] 1.5.91
ii galera-4 26.4.23-0+deb13u1
ii gawk 1:5.2.1-2+b1
ii init-system-helpers 1.69~deb13u1
ii iproute2 6.15.0-1
ii libc6 2.41-12
ii libdbi-perl 1.647-1
ii libgcc-s1 14.2.0-19
ii libpam0g 1.7.0-5
ii libssl3t64 3.5.1-1+deb13u1
ii libstdc++6 14.2.0-19
ii lsof 4.99.4+dfsg-2
ii mariadb-client 1:11.8.3-0+deb13u1
ii mariadb-common 1:11.8.3-0+deb13u1
ii mariadb-server-core 1:11.8.3-0+deb13u1
ii passwd 1:4.17.4-2
ii perl 5.40.1-6
ii procps 2:4.0.4-9
ii psmisc 23.7-2
ii rsync 3.4.1+ds1-5
ii socat 1.8.0.3-1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
Versions of packages mariadb-server recommends:
ii libhtml-template-perl 2.97-2
ii mariadb-plugin-provider-bzip2 1:11.8.3-0+deb13u1
ii mariadb-plugin-provider-lz4 1:11.8.3-0+deb13u1
ii mariadb-plugin-provider-lzma 1:11.8.3-0+deb13u1
ii mariadb-plugin-provider-lzo 1:11.8.3-0+deb13u1
ii mariadb-plugin-provider-snappy 1:11.8.3-0+deb13u1
ii pv 1.9.31-1
Versions of packages mariadb-server suggests:
ii mailutils [mailx] 1:3.19-1
pn mariadb-test <none>
pn netcat-openbsd <none>
-- Configuration Files:
/etc/mysql/mariadb.conf.d/50-server.cnf [file not found]
-- debconf-show failed
--- End Message ---
--- Begin Message ---
Closing is Debian as upstream closed it as "won't fix" and there are
no additional suggestions or requests for Debian-only parts.
--- End Message ---
