Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19876

pam v2: auth_pam_tool_dir and auth_pam_tool permissions are wrong in RPMs

    XMLWordPrintable

Details

    Description

      The permissions of auth_pam_tool_dir and auth_pam_tool are wrong in MariaDB 10.4. These are used by version 2 of the pam plugin.

      If you run mysqld with strace, then you can see the failure. For example, start mysqld:

      mkdir strace
      		 
      sudo strace -o ./strace/mysqld_strace.log -ff /usr/sbin/mysqld --user=mysql --datadir=/var/lib/mysql &

      And then try to authenticate as an account that uses pam v2 (while using the workaround for MDEV-19807):

      $ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin
      		 
      ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)

      The strace output shows why this failed:

      ./strace/mysqld_strace.log.4451:execve("/usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool", ["/usr/lib64/mysql/plugin/auth_pam"...], [/* 17 vars */]) = -1 EACCES (Permission denied)

      The problem seems to be with the permissions of the /usr/lib64/mysql/plugin/auth_pam_tool_dir/ directory:

      $ sudo ls -ld /usr/lib64/mysql/plugin/auth_pam_tool_dir/
      		 
      drwx------. 2 root root 27 Jun 22 02:43 /usr/lib64/mysql/plugin/auth_pam_tool_dir/

      You can workaround this by executing the following:

      sudo chmod 0755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/

      It looks like permissions of auth_pam_tool are also wrong:

      $ sudo ls -l /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
      		 
      -rwxr-xr-x. 1 root root 11248 Jun 17 23:57 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

      To workaround this, you need to add the setuid bit:

      sudo chmod 4755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-20205 mysql_install_db shouldn't execute chown

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          is caused by

          Task - A task that needs to be done. MDEV-7032 new pam plugin with a suid wrapper

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Task - A task that needs to be done. MDEV-19850 per-plugin install/uninstall scriptlets

          • Major - Major loss of function.
          • Stalled

          Task - A task that needs to be done. MDEV-19877 pam v2: auth_pam_tool input format is not user friendly for debugging

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19878 pam v2: pam password authentication doesn't work at all

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19879 server can send empty error message to client with pam_use_cleartext_plugin

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19880 pam v1: pam password authentication doesn't work at all in MariaDB 10.4

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19881 pam plugin from MariaDB 10.3 doesn't work with MariaDB 10.4

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19807 MariaDB client plugin path is wrong

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19882 pam v2: auth_pam_tool truncates passwords that are not null-terminated

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-19898 PAM plugin testing

          • Major - Major loss of function.
          • Stalled

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22459 pam v2 should log an error if auth_pam_tool exec fails

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22482 pam v2: mysql_upgrade doesn't fix the ownership/privileges of auth_pam_tool

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            People

              serg Sergei Golubchik
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.