Here is a note from PAM plugin documentation:

Note: if you configure PAM to use pam_unix.so (as in the above example) and notice that MariaDB needs to run as a root user to be able to access /etc/shadow — try to upgrade your PAM installation. Newer versions of PAM do not require pam_unix.so to be run as root.

It doesn't talk about MariaDB server / plugin versions, but about the version of PAM itself. Did you try to upgrade it?

Hi Elena,

I downloaded the source code for PAM 1.3.0, did configure, make and make install but I still get :
/lib/x86_64-linux-gnu/libpam.so.0 -> libpam.so.0.83.1
I need to try harder

I found a more detailed guide explaining how to compile PAM here.

I am confused about the PAM version number as downloaded from www.linux-pam.org and the version of the library (libpam.so.0.83.1). Would you have more information on the version number of libpam that is considered recent enough to be able to use PAM without addind mysql to shadow ?

Thanks in advance.

Marc

There are two issues here. In old PAM versions, one needed to be root to read the password from /etc/shadow.
This was fixed when PAM introduced /sbin/unix_chkpwd wrapper, it's suid and pam_unix.so invokes it, instead of reading /etc/shadow directly.

Still unix_chkpwd verifies that you're root or you're checking the password for yourself (that is for $UID), it does not allow arbitrary password checks (to prevent password brute forcing, presumably).

And MariaDB is still subject to this limitation. MDEV-7032 could be one possible solution.

According to the comment above, it should be tracked further in the scope of MDEV-7032.