Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5.9
-
None
-
RHEL 8; MariaDB upstream RPMs
MariaDB-server-10.5.9-1.el8.x86_64
Description
The directory
/usr/lib64/mysql/plugin/auth_pam_tool_dir
|
and the SUID-to-root binary
/usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
|
do not have correct permissions.
(While they do work, it is IMO not an ideal setup)
The current permissions are:
directory mysql:root 700
binary root:root 4755
The directory permissions allows an unprivileged user 'mysql' to tamper with the SUID-to-root binary inside the directory.
In general, all SUID-to-someone binaries / scripts should be ony changeable by the someone.
Following facts should be taken in consideration:
1/
Normally, files not specific to a certain user should be owned by a root:root with a desired permissions.
If the goal was to restrict access to the directory for the 'mysql' user exclusively, the ideal configuration would be: root:mysql 750
2/
If the binary can't be accessed by other users, such other users won't be able to use the PAMv2 server plugin when running their own server.
(e.g. when calling the mysqld directly with all of the needed arguments pointing to somewhere in their home dir )
Is such use-case expected or supported ?
I guess no one complained yet, so the more restrictive approach is probably fine.
3/
I'd say it would be more expected to have the desired restrictions applied on the binary itself, rather than the directory only.
It IMO express better the fact that the issue is with the binary itself.
There is probably no need to have the restriction on both the directory and the binary.
Conclusion:
If restriction to other users was NOT intended, I'd go with:
directory root:root 755
binary root:root 4755
(none restricted)
Else if restriction was intended, I'd go preferably with:
directory root:root 755
binary root:mysql 4750
(only the binary restricted)
Or
directory root:mysql 750
binary root:mysql 4750
(both the directory and the binary restricted)
Rather than:
directory root:mysql 750
binary root:root 4755
(only the directory restricted)
But NOT the current:
directory mysql:root 700
binary root:root 4755
(only the directory wrongly restricted)
What is the opinion of @otto as for Debian packaging ?
(or @Otto or @Otto Kekäläinen or @Otto_Kekäläinen or @OttoKekäläinen ... never figured out how to properly mention somenone in here ...)
While we are talking about PAMv2 plugin, I agree that MDEV-23628 might deserve a better error message.