Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19876

pam v2: auth_pam_tool_dir and auth_pam_tool permissions are wrong in RPMs

    XMLWordPrintable

Details

    Description

      The permissions of auth_pam_tool_dir and auth_pam_tool are wrong in MariaDB 10.4. These are used by version 2 of the pam plugin.

      If you run mysqld with strace, then you can see the failure. For example, start mysqld:

      mkdir strace
      sudo strace -o ./strace/mysqld_strace.log -ff /usr/sbin/mysqld --user=mysql --datadir=/var/lib/mysql &
      

      And then try to authenticate as an account that uses pam v2 (while using the workaround for MDEV-19807):

      $ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin
      ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)
      

      The strace output shows why this failed:

      ./strace/mysqld_strace.log.4451:execve("/usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool", ["/usr/lib64/mysql/plugin/auth_pam"...], [/* 17 vars */]) = -1 EACCES (Permission denied)
      

      The problem seems to be with the permissions of the /usr/lib64/mysql/plugin/auth_pam_tool_dir/ directory:

      $ sudo ls -ld /usr/lib64/mysql/plugin/auth_pam_tool_dir/
      drwx------. 2 root root 27 Jun 22 02:43 /usr/lib64/mysql/plugin/auth_pam_tool_dir/
      

      You can workaround this by executing the following:

      sudo chmod 0755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/
      

      It looks like permissions of auth_pam_tool are also wrong:

      $ sudo ls -l /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
      -rwxr-xr-x. 1 root root 11248 Jun 17 23:57 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
      

      To workaround this, you need to add the setuid bit:

      sudo chmod 4755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
      

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.