Geoff Montee (Inactive) added a comment - 2019-07-09 02:25 - edited I tested out the fix for this using tarbuildnum #27339 from hasky for RHEL 7: http://buildbot.askmonty.org/buildbot/builders/kvm-rpm-centos74-amd64/builds/8839 http://hasky.askmonty.org/archive/10.4/build-27339/kvm-rpm-centos74-amd64/rpms/ This issue is not fixed. The associated commits added some code to mysql_install_db, so that the mysql_install_db will chown/chmod auth_pam_tool_dir and auth_pam_tool, so that the directory and executable have the correct owner and perrmissions. But there is a problem with this fix. This fix still leads to failures when: 1.) Upgrading an existing installation. In this case, 10.4's mysql_install_db is never executed to begin with, so the owner and permissions will never be changed. 2.) Upgrading from one 10.4 release to another 10.4 release using RPMs. In this case, the existing auth_pam_tool_dir and auth_pam_tool will be replaced by the contents of the new RPM, so the chown/chmod that was previously done by mysql_install_db will be undone. The root cause of the problem is that these files do not have the correct owner and privileges in the RPM itself. See here: $ sudo rpm -qplv MariaDB-server-10.4.7-1.el7.centos.x86_64.rpm | grep auth_pam -rwxr-xr-x 1 root root 11672 Jul 8 13:34 /usr/lib64/mysql/plugin/auth_pam.so drwx------ 2 root root 0 Jul 8 13:32 /usr/lib64/mysql/plugin/auth_pam_tool_dir -rwxr-xr-x 1 root root 11248 Jul 8 13:34 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool -rwxr-xr-x 1 root root 11664 Jul 8 13:34 /usr/lib64/mysql/plugin/auth_pam_v1.so This issue will not be fixed until the files have the proper owner and permissions in the RPM. Otherwise, any owner and privileges changes will just be undone anytime the server RPM is upgraded, and the files are replaced. If we can't figure out how to fix the owner and permissions in the RPM itself, then we may also be able to fix them in the RPM's postin script: https://github.com/MariaDB/server/blob/mariadb-10.4.6/support-files/rpm/server-postin.sh

Sergei Golubchik added a comment - 2019-07-09 08:16 - edited This seems to be version specific In centos7 auth_pam_tool is indeed not suid root in the rpm, in centos6, rhel6, fedoras, suse — everywhere else it is suid inside the rpm

Sergei Golubchik added a comment - 2019-07-10 08:40 - edited It's a bug in rpm-build. In particular, see https://github.com/rpm-software-management/rpm/blob/rpm-4.16.1.3/tools/sepdebugcrcfix.c#L360 This line is there at least as of version 4.12.90. CentOS7 (even after yum upgrade rpm-build ) has 4.11.3-35, which does not have that line. I suppose our only option for now is to fix privileges in a postin scriptlet.

pgnd added a comment - 2021-04-24 23:55 - edited serg GeoffMontee has this been fixed/resolved for general use in downstream packaging? I'm seeing the following with 10.5.9 rpm pkgs on Fedora 33; unclear whether this is (still) an MDB issue, or simply packaging. [EDIT: It appears to be an issue @RH, and I suspect therefore @Fedora. Bug 1936842 - mariadb:10.5/mariadb: Review permissions of auth_pam_tool and auth_pam_tool_dir https://bugzilla.redhat.com/show_bug.cgi?id=1936842 ] on a clean install of grep PRETTY /etc/os-release PRETTY_NAME="Fedora 33 (Thirty Three)" distro-pkg installed mysqld --version mysqld Ver 10.5.9-MariaDB for Linux on x86_64 (MariaDB Server) clean installing rm -rf /home/dev/data/mariadb /usr/bin/mysql_install_db \ --user=mysql \ --defaults-file=/usr/local/etc/mariadb/my.cnf \ --auth-root-authentication-method=socket \ --datadir=/home/dev/data/mariadb \ --skip-test-db reports chown: cannot access '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool': No such file or directory Couldn't set an owner to '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool'. It must be root, the PAM authentication plugin doesn't work otherwise..   Installing MariaDB/MySQL system tables in '/home/dev/data/mariadb' ... OK ... referencing MDEV-19876 https://seclists.org/oss-sec/2020/q1/57 checking ls -ald /usr/lib64/mariadb/plugin/auth_pam_tool_dir drwx------ 2 mysql mysql 4.0K Apr 24 19:01 /usr/lib64/mariadb/plugin/auth_pam_tool_dir/ exec'ing, per above ( MDEV-19876 ) systemctl stop mariadb chmod 0755 /usr/lib64/mariadb/plugin/auth_pam_tool_dir/ but ls -al /usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool ls: cannot access '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool': No such file or directory so, of course, chmod 4755 /usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool chmod: cannot access '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool': No such file or directory with just the available change, simply repeating the install rm -rf /home/dev/data/mariadb /usr/bin/mysql_install_db \ --user=mysql \ --defaults-file=/usr/local/etc/mariadb/my.cnf \ --auth-root-authentication-method=socket \ --datadir=/home/dev/data/mariadb \ --skip-test-db still reports chown: cannot access '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool': No such file or directory Couldn't set an owner to '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool'. It must be root, the PAM authentication plugin doesn't work otherwise..   Installing MariaDB/MySQL system tables in '/home/dev/data/mariadb' ... OK ...

Luke (Inactive) added a comment - 2022-02-15 08:20 pgnd , I checked Mariadb Enterprise version 10.5.9 and 10.7.3 community from the repo for centos7. I believe you're getting those errors because the directories are: /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool not /usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool