[MDEV-22459] pam v2 should log an error if auth_pam_tool exec fails - Jira

XML

Word

Printable

Version 2 of the pam authentication plugin executes a tool called auth_pam_tool. This happens here:

    memcpy(toolpath, opt_plugin_dir, plugin_dir_len);

    if (plugin_dir_len && toolpath[plugin_dir_len-1] != FN_LIBCHAR)

      toolpath[plugin_dir_len++]= FN_LIBCHAR;

    memcpy(toolpath+plugin_dir_len, tool_name, tool_name_len+1);

    PAM_DEBUG((stderr, "PAM: execute pam sandbox [%s].\n", toolpath));

    (void) execl(toolpath, toolpath, NULL);

    PAM_DEBUG((stderr, "PAM: exec() failed.\n"));

    exit(-1);

Currently, if the execution of this tool fails, then nothing is logged.

If you are using a debug build of the plugin and if pam_debug is enabled, then you do get an error message, but it is still not optimal.

I think we need to make the following changes:

An error message should be printed in both release builds and debug builds.
The error message should not depend on pam_debug.
The error message should contain the errno and/or strerror(errno) for the specific error.

is caused by

MDEV-7032 new pam plugin with a suid wrapper

MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server

relates to

MDEV-19876 pam v2: auth_pam_tool_dir and auth_pam_tool permissions are wrong in RPMs

MDEV-20205 mysql_install_db shouldn't execute chown

MDEV-22482 pam v2: mysql_upgrade doesn't fix the ownership/privileges of auth_pam_tool

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.