Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25126

PAMv2 plugin files does not have correct permissions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.5.9
    • Fix Version/s: 10.5
    • Component/s: Packaging, Plugin - pam, Server
    • Labels:
      None
    • Environment:
      RHEL 8; MariaDB upstream RPMs
      MariaDB-server-10.5.9-1.el8.x86_64

      Description

      The directory

       /usr/lib64/mysql/plugin/auth_pam_tool_dir 

      and the SUID-to-root binary

      /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

      do not have correct permissions.
      (While they do work, it is IMO not an ideal setup)


      The current permissions are:
      directory mysql:root 700
      binary root:root 4755

      The directory permissions allows an unprivileged user 'mysql' to tamper with the SUID-to-root binary inside the directory.
      In general, all SUID-to-someone binaries / scripts should be ony changeable by the someone.


      Following facts should be taken in consideration:

      1/
      Normally, files not specific to a certain user should be owned by a root:root with a desired permissions.
      If the goal was to restrict access to the directory for the 'mysql' user exclusively, the ideal configuration would be: root:mysql 750

      2/
      If the binary can't be accessed by other users, such other users won't be able to use the PAMv2 server plugin when running their own server.
      (e.g. when calling the mysqld directly with all of the needed arguments pointing to somewhere in their home dir )

      Is such use-case expected or supported ?

      I guess no one complained yet, so the more restrictive approach is probably fine.

      3/
      I'd say it would be more expected to have the desired restrictions applied on the binary itself, rather than the directory only.
      It IMO express better the fact that the issue is with the binary itself.

      There is probably no need to have the restriction on both the directory and the binary.


      Conclusion:

      If restriction to other users was NOT intended, I'd go with:
      directory root:root 755
      binary root:root 4755
      (none restricted)

      Else if restriction was intended, I'd go preferably with:
      directory root:root 755
      binary root:mysql 4750
      (only the binary restricted)

      Or
      directory root:mysql 750
      binary root:mysql 4750
      (both the directory and the binary restricted)

      Rather than:
      directory root:mysql 750
      binary root:root 4755
      (only the directory restricted)

      But NOT the current:
      directory mysql:root 700
      binary root:root 4755
      (only the directory wrongly restricted)


      What is the opinion of @otto as for Debian packaging ?
      (or @Otto or @Otto Kekäläinen or @Otto_Kekäläinen or @OttoKekäläinen ... never figured out how to properly mention somenone in here ...)


      While we are talking about PAMv2 plugin, I agree that MDEV-23628 might deserve a better error message.

        Attachments

          Activity

            People

            Assignee:
            serg Sergei Golubchik
            Reporter:
            mschorm Michal Schorm
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:

                Git Integration