[debian-mysql] Bug#1117874: mariadb-server: UMask has no effect on UNIX socket permissions (always 0777) of /run/mysqld/mysqld.sock

Aaron Schaal 112358 at gmx.net
Sat Oct 11 23:31:25 BST 2025 

Package: mariadb-server
Version: 1:11.8.3-0+deb13u1
Severity: important
X-Debbugs-Cc: 112358 at gmx.net

Dear Maintainer,

I have observed that the UNIX socket `/run/mysqld/mysqld.sock` is **always created with permissions 0777 (srwxrwxrwx)**, regardless of the `UMask` setting in the systemd unit or the shell environment.

What led up to the situation?
- After installing MariaDB 11.8.3-0+deb13u1 on Debian 13.1 (Trixie), I noticed that the socket permissions are always 0777 after every (re)start.
- The systemd unit at `/lib/systemd/system/mariadb.service` sets `UMask=007` by default (only three digits!), but this setting has **no effect at all** on the socket file's permissions.
- There was **no custom configuration**, neither on my physical server nor in my WSL environment.

What exactly did you do (or not do) that was effective (or ineffective)?
- On both systems, I used the default installation and unit files.
- I restarted MariaDB via systemd with the default unit (UMask=007) — socket is 0777.
- I set UMask=0027 and UMask=077 (and tried various other values) in an override unit, did `systemctl daemon-reload` and restart — socket is still 0777.
- I manually started the daemon via `mysqld_safe` with different umask settings in the shell — always 0777.
- I verified this on **two independent systems**:  
  1. A physical Debian 13.1 server  
  2. A completely fresh WSL Debian 13.1 environment  
  → Both show exactly the same behavior, with **no manual configuration changes**.

What was the outcome of this action?
- In all cases, the socket was always created with mode 0777 (srwxrwxrwx).
- Restricting access via UMask in the unit file, or at the shell, had no effect.

What outcome did you expect instead?
- That the UNIX socket permissions would respect the `UMask` setting in the systemd unit (e.g. 0770 or 0660), as is best practice for multi-user systems and as set by other daemons (Postgres, Redis, Dovecot, ...).

Other notes:
- This is a significant security and policy issue:  
  - The current setup allows **all local users** to connect to the socket file, even if not in the `mysql` group.
  - It contradicts the intention of the systemd unit (which sets UMask=007 **by default**).
  - There is **no documentation** warning of this behavior.
- The behavior is **identical** across different environments and fresh installations.
- There is currently no way to configure the UNIX socket file permissions via any MariaDB option (my.cnf, mysqld), nor via the systemd service unit or UMask. The file mode is always set to 0777 and cannot be changed or restricted by any documented setting.

References:
- This issue has a long-standing history upstream:
  - See [MySQL Bug #15105 (2005): mysqld ignores umask when creating its unix socket](https://bugs.mysql.com/bug.php?id=15105)  
    (The bug was marked "by design" years ago, but this is now a security and policy issue in modern multi-user setups.)

System Information:
- Debian Release: 13.1 (Trixie)
- MariaDB Version: 11.8.3-0+deb13u1
- systemd unit: /lib/systemd/system/mariadb.service (UMask=007, default!)
- AppArmor: enabled
- Tested on:  
  - Physical server (no custom config)
  - WSL Debian environment (brand new, no manual config)

-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mariadb-server depends on:
ii  adduser                3.152
ii  debconf [debconf-2.0]  1.5.91
ii  galera-4               26.4.23-0+deb13u1
ii  gawk                   1:5.2.1-2+b1
ii  init-system-helpers    1.69~deb13u1
ii  iproute2               6.15.0-1
ii  libc6                  2.41-12
ii  libdbi-perl            1.647-1
ii  libgcc-s1              14.2.0-19
ii  libpam0g               1.7.0-5
ii  libssl3t64             3.5.1-1+deb13u1
ii  libstdc++6             14.2.0-19
ii  lsof                   4.99.4+dfsg-2
ii  mariadb-client         1:11.8.3-0+deb13u1
ii  mariadb-common         1:11.8.3-0+deb13u1
ii  mariadb-server-core    1:11.8.3-0+deb13u1
ii  passwd                 1:4.17.4-2
ii  perl                   5.40.1-6
ii  procps                 2:4.0.4-9
ii  psmisc                 23.7-2
ii  rsync                  3.4.1+ds1-5
ii  socat                  1.8.0.3-1
ii  zlib1g                 1:1.3.dfsg+really1.3.1-1+b1

Versions of packages mariadb-server recommends:
ii  libhtml-template-perl           2.97-2
ii  mariadb-plugin-provider-bzip2   1:11.8.3-0+deb13u1
ii  mariadb-plugin-provider-lz4     1:11.8.3-0+deb13u1
ii  mariadb-plugin-provider-lzma    1:11.8.3-0+deb13u1
ii  mariadb-plugin-provider-lzo     1:11.8.3-0+deb13u1
ii  mariadb-plugin-provider-snappy  1:11.8.3-0+deb13u1
ii  pv                              1.9.31-1

Versions of packages mariadb-server suggests:
ii  mailutils [mailx]  1:3.19-1
pn  mariadb-test       <none>
pn  netcat-openbsd     <none>

-- Configuration Files:
/etc/mysql/mariadb.conf.d/50-server.cnf [file not found]

-- debconf-show failed

More information about the pkg-mysql-maint mailing list