MDEV-19210: do not run pre and post scripts as root

Now that we do not pollute systemd's environment but write private environment files running these as root is not longer required. So let's drop `PermissionsStartOnly=true`. Debian adds extra `ExecStartPre=` and `ExecStartPost=`, though. Use special executable prefix for full privileges there. (See systemd.service(5) for details.)

Author: eworm-de

cmake/systemd.cmake

@@ -50,8 +50,8 @@ MACRO(CHECK_SYSTEMD)
  SET(SYSTEMD_SCRIPTS ${SYSTEMD_SCRIPTS} galera_new_cluster galera_recovery)
  ENDIF()
  IF(DEB)
- SET(SYSTEMD_EXECSTARTPRE "ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld")
- SET(SYSTEMD_EXECSTARTPOST "ExecStartPost=/etc/mysql/debian-start")
+ SET(SYSTEMD_EXECSTARTPRE "ExecStartPre=+/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld")
+ SET(SYSTEMD_EXECSTARTPOST "ExecStartPost=+/etc/mysql/debian-start")
  ENDIF()
 IF(URING_FOUND)
  SET(SYSTEMD_LIMIT "# For liburing and io_uring_setup()

support-files/mariadb.service.in

@@ -68,9 +68,6 @@ ProtectSystem=full
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
 
-# Execute pre and post scripts as root, otherwise it does it as User=
-PermissionsStartOnly=true
-
 # Use an environment file to pass variable _WSREP_NEW_CLUSTER
 EnvironmentFile=-@mysqlunixdir@/wsrep-new-cluster