Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15473

Isolate/sandbox PAM modules, so that they can't crash the server

Details

    • 10.4.0-1

    Description

      Buggy PAM modules can currently crash the server. See MDEV-10361 for example. Should auth_pam isolate PAM modules somehow to prevent problems like this from taking down the whole server? Is it feasible for auth_pam to use sandboxes for PAM modules, or would that cripple performance and slow down authentication too much?

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19876 pam v2: auth_pam_tool_dir and auth_pam_tool permissions are wrong in RPMs

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-19877 pam v2: auth_pam_tool input format is not user friendly for debugging

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19878 pam v2: pam password authentication doesn't work at all

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19880 pam v1: pam password authentication doesn't work at all in MariaDB 10.4

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19881 pam plugin from MariaDB 10.3 doesn't work with MariaDB 10.4

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19882 pam v2: auth_pam_tool truncates passwords that are not null-terminated

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21385 PAM v2 plugin produces lots of zombie processes

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22459 pam v2 should log an error if auth_pam_tool exec fails

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22482 pam v2: mysql_upgrade doesn't fix the ownership/privileges of auth_pam_tool

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MXS-2633 Pam authentication doesn't work with server 10.4

          • Major - Major loss of function.
          • Closed
          is blocked by

          Task - A task that needs to be done. MDEV-7032 new pam plugin with a suid wrapper

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16813 Document PAM updates

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MDEV-18311 Change default PAM service name to mariadb

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MXS-3753 Add option to run PAM authentication in a suid sanbox

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10361 auth_pam + RSA SecurID PAM module + SQLyog causes server crash

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            View 6 older comments
            serg Sergei Golubchik added a comment -

            still need to check that filesystem permissions on the new directory is set correctly

            and minor cleanup in tests.

            serg Sergei Golubchik added a comment - still need to check that filesystem permissions on the new directory is set correctly and minor cleanup in tests.
            holyfoot Alexey Botchkov added a comment -

            http://lists.askmonty.org/pipermail/commits/2018-July/012680.html

            holyfoot Alexey Botchkov added a comment - http://lists.askmonty.org/pipermail/commits/2018-July/012680.html
            holyfoot Alexey Botchkov added a comment -

            http://lists.askmonty.org/pipermail/commits/2018-July/012691.html

            holyfoot Alexey Botchkov added a comment - http://lists.askmonty.org/pipermail/commits/2018-July/012691.html
            holyfoot Alexey Botchkov added a comment -

            http://lists.askmonty.org/pipermail/commits/2018-July/012692.html

            holyfoot Alexey Botchkov added a comment - http://lists.askmonty.org/pipermail/commits/2018-July/012692.html
            holyfoot Alexey Botchkov added a comment -

            http://lists.askmonty.org/pipermail/commits/2018-July/012698.html

            holyfoot Alexey Botchkov added a comment - http://lists.askmonty.org/pipermail/commits/2018-July/012698.html

            People

              holyfoot Alexey Botchkov
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              5 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.