Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22459

pam v2 should log an error if auth_pam_tool exec fails

    XMLWordPrintable

    Details

      Description

      Version 2 of the pam authentication plugin executes a tool called auth_pam_tool. This happens here:

          memcpy(toolpath, opt_plugin_dir, plugin_dir_len);
          if (plugin_dir_len && toolpath[plugin_dir_len-1] != FN_LIBCHAR)
            toolpath[plugin_dir_len++]= FN_LIBCHAR;
          memcpy(toolpath+plugin_dir_len, tool_name, tool_name_len+1);
       
          PAM_DEBUG((stderr, "PAM: execute pam sandbox [%s].\n", toolpath));
          (void) execl(toolpath, toolpath, NULL);
          PAM_DEBUG((stderr, "PAM: exec() failed.\n"));
          exit(-1);
      

      https://github.com/MariaDB/server/blob/mariadb-10.4.12/plugin/auth_pam/auth_pam.c#L85

      Currently, if the execution of this tool fails, then nothing is logged.

      If you are using a debug build of the plugin and if pam_debug is enabled, then you do get an error message, but it is still not optimal.

      I think we need to make the following changes:

      • An error message should be printed in both release builds and debug builds.
      • The error message should not depend on pam_debug.
      • The error message should contain the errno and/or strerror(errno) for the specific error.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              GeoffMontee Geoff Montee
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: