Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25126

PAMv2 plugin files does not have correct permissions



    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.5.9
    • Fix Version/s: 10.5
    • Component/s: Packaging, Plugin - pam, Server
    • Labels:
    • Environment:
      RHEL 8; MariaDB upstream RPMs


      The directory


      and the SUID-to-root binary


      do not have correct permissions.
      (While they do work, it is IMO not an ideal setup)

      The current permissions are:
      directory mysql:root 700
      binary root:root 4755

      The directory permissions allows an unprivileged user 'mysql' to tamper with the SUID-to-root binary inside the directory.
      In general, all SUID-to-someone binaries / scripts should be ony changeable by the someone.

      Following facts should be taken in consideration:

      Normally, files not specific to a certain user should be owned by a root:root with a desired permissions.
      If the goal was to restrict access to the directory for the 'mysql' user exclusively, the ideal configuration would be: root:mysql 750

      If the binary can't be accessed by other users, such other users won't be able to use the PAMv2 server plugin when running their own server.
      (e.g. when calling the mysqld directly with all of the needed arguments pointing to somewhere in their home dir )

      Is such use-case expected or supported ?

      I guess no one complained yet, so the more restrictive approach is probably fine.

      I'd say it would be more expected to have the desired restrictions applied on the binary itself, rather than the directory only.
      It IMO express better the fact that the issue is with the binary itself.

      There is probably no need to have the restriction on both the directory and the binary.


      If restriction to other users was NOT intended, I'd go with:
      directory root:root 755
      binary root:root 4755
      (none restricted)

      Else if restriction was intended, I'd go preferably with:
      directory root:root 755
      binary root:mysql 4750
      (only the binary restricted)

      directory root:mysql 750
      binary root:mysql 4750
      (both the directory and the binary restricted)

      Rather than:
      directory root:mysql 750
      binary root:root 4755
      (only the directory restricted)

      But NOT the current:
      directory mysql:root 700
      binary root:root 4755
      (only the directory wrongly restricted)

      What is the opinion of @otto as for Debian packaging ?
      (or @Otto or @Otto Kekäläinen or @Otto_Kekäläinen or @OttoKekäläinen ... never figured out how to properly mention somenone in here ...)

      While we are talking about PAMv2 plugin, I agree that MDEV-23628 might deserve a better error message.




            serg Sergei Golubchik
            mschorm Michal Schorm
            0 Vote for this issue
            8 Start watching this issue



                Git Integration