[debian-mysql] Bug#1117874: Bug#1117874: mariadb-server: UMask has no effect on UNIX socket permissions (always 0777) of /run/mysqld/mysqld.sock

[Aaron Schaal]

Hi,

I'd like to share a robust workaround for anyone affected by this issue:

It is possible to use systemd socket-activation to fully control the 
permissions, group and ownership of /run/mysqld/mysqld.sock, avoiding 
the default 0777 mode.

This solution was suggested by Daniel Black in the upstream Jira issue:
https://jira.mariadb.org/browse/MDEV-37861

**How-to:**

1. Create or edit the override for mariadb.socket (if you want mariadb 
to listen also on port 3306, you don't need to add the `ListenStream` rows):
    sudo systemctl edit mariadb.socket

    Add these lines:
    [Socket]
    ListenStream=
    ListenStream=/run/mysqld/mysqld.sock
    SocketUser=mysql
    SocketGroup=mysql
    SocketMode=0660

2. Reload systemd and restart (making sure mariadb.service and .socket 
are both stopped, and the old socket file is gone):
    sudo systemctl daemon-reload
    sudo systemctl stop mariadb.service mariadb.socket
    sudo rm -f /run/mysqld/mysqld.sock
    sudo systemctl enable --now mariadb.socket
    sudo systemctl start mariadb.service

3. (Optional, but recommended for clean lifecycle management)
    Add the following to the override for mariadb.service (`sudo 
systemctl edit mariadb.service`):
    [Unit]
    BindsTo=mariadb.socket
    PartOf=mariadb.socket
    After=mariadb.socket

**Result:**
MariaDB now runs with a UNIX socket created as `srw-rw---- mysql mysql` 
(or as needed), with no more 0777 exposure.

**Tested on:**
- Debian 13.1 (Trixie), both bare-metal and WSL environments.

**Also documented upstream at:**
https://jira.mariadb.org/browse/MDEV-37861