MDEV-19210: do not run pre and post scripts as root

Now that we do not pollute systemd's environment but write private
environment files running these as root is not longer required. So
let's drop `PermissionsStartOnly=true`.

Debian adds extra `ExecStartPre=` and `ExecStartPost=`, though.
Use special executable prefix for full privileges there. (See
systemd.service(5) for details.)

cmake/systemd.cmake

@@ -46,8 +46,8 @@ MACRO(CHECK_SYSTEMD)
         SET(HAVE_SYSTEMD TRUE)
         SET(SYSTEMD_SCRIPTS mariadb-service-convert galera_new_cluster galera_recovery)
         IF(DEB)
-          SET(SYSTEMD_EXECSTARTPRE "ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld")
-          SET(SYSTEMD_EXECSTARTPOST "ExecStartPost=/etc/mysql/debian-start")
+          SET(SYSTEMD_EXECSTARTPRE "ExecStartPre=+/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld")
+          SET(SYSTEMD_EXECSTARTPOST "ExecStartPost=+/etc/mysql/debian-start")
         ENDIF()
         IF(NOT DEB AND NOT RPM)
           SET(SYSTEMD_READWRITEPATH "# Database dir: '${MYSQL_DATADIR}' should be writable even

support-files/mariadb.service.in

@@ -70,9 +70,6 @@ ProtectSystem=full
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
 
-# Execute pre and post scripts as root, otherwise it does it as User=
-PermissionsStartOnly=true
-
 # Use an environment file to pass variable _WSREP_NEW_CLUSTER
 EnvironmentFile=-@mysqlunixdir@/wsrep-new-cluster-%N