Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.5, 10.6
-
None
Description
auth_pam_tool should be suid user, 4777.
Since 9d18b624675 this is done by packaging auth_pam_tool already with correct permissions into the rpm.
For example,
$ rpm -qvlp MariaDB-server-10.5.10-1.el8.x86_64.rpm|grep -w auth_pam_tool |
...
|
-rwsr-xr-x 1 root root 12480 May 6 10:29 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool |
same for Fedoras.
But on CentOS 7 it shows rwxr-xr-x. Supposedly rpmbuild strips the SUID bit before packaging the file.
Attachments
Issue Links
- causes
-
-
- Closed
-
Activity
reproduced on centos74-amd64-build image.
actually code running chmod on auth_pam_tool is executed properly.
CPack: - Install component: Server
|
mode of ‘auth_pam_tool_dir’ changed from 0775 (rwxrwxr-x) to 0700 (rwx------)
|
mode of ‘auth_pam_tool_dir/auth_pam_tool’ changed from 0755 (rwxr-xr-x) to 4755 (rwsr-xr-x)
|
it looks like suid bit disappears during debuginfo pkg creation. if CPACK_RPM_DEBUGINFO_PACKAGE is OFF - suid bit is preserved in RPM.
looking for good solution
tested it on different Centos versions, from 7.4 to 7.9 (latest). the result is the same, suid bit is lost if debuginfo is enabled.
the most simple way to solve it is to add chmod call to the %post.
serg does it look reasonable?
Not really. That's what we did before, it was reworked in 9d18b62467 for security reasons.
What's so special in CentOS7, why would it strip suid bit?
kernel drops suid bit on file modification.
[buildbot@centos74-amd64 auth_pam_tool_dir]$ ll
|
-rwsr-xr-x. 1 buildbot buildbot 11264 Aug 25 10:11 auth_pam_tool
|
[buildbot@centos74-amd64 auth_pam_tool_dir]$ cp auth_pam_tool auth_pam_tool2
|
[buildbot@centos74-amd64 auth_pam_tool_dir]$ ll
|
-rwsr-xr-x. 1 buildbot buildbot 11264 Aug 25 10:11 auth_pam_tool
|
-rwxr-xr-x. 1 buildbot buildbot 11264 Aug 25 11:05 auth_pam_tool2 <<<<<<<<<<<<
|
I've freed up some space on the host.