Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.5, 10.6
-
None
Description
auth_pam_tool should be suid user, 4777.
Since 9d18b624675 this is done by packaging auth_pam_tool already with correct permissions into the rpm.
For example,
$ rpm -qvlp MariaDB-server-10.5.10-1.el8.x86_64.rpm|grep -w auth_pam_tool |
...
|
-rwsr-xr-x 1 root root 12480 May 6 10:29 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool |
same for Fedoras.
But on CentOS 7 it shows rwxr-xr-x. Supposedly rpmbuild strips the SUID bit before packaging the file.
Attachments
Issue Links
- causes
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Description |
auth_pam_tool should be suid user, 4777.
Since 9d18b624675 this is done by packaging {{auth_pam_tool}} already with correct permissions into the rpm. For example, {code:bash} $ rpm -qvlp MariaDB-server-10.5.10-1.el8.x86_64.rpm|grep -w auth_pam_tool ... -rwsr-xr-x 1 root root 12480 May 6 10:29 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool {code} same for Fedoras. But on CentOS 7 it shows {{rwx-r-xr-x}}. Supposedly {{rpmbuild}} strips the SUID bit before packaging the file. |
auth_pam_tool should be suid user, 4777.
Since 9d18b624675 this is done by packaging {{auth_pam_tool}} already with correct permissions into the rpm. For example, {code:bash} $ rpm -qvlp MariaDB-server-10.5.10-1.el8.x86_64.rpm|grep -w auth_pam_tool ... -rwsr-xr-x 1 root root 12480 May 6 10:29 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool {code} same for Fedoras. But on CentOS 7 it shows {{rwx-r-xr-x}}. Supposedly {{rpmbuild}} strips the SUID bit before packaging the file. |
| Description |
auth_pam_tool should be suid user, 4777.
Since 9d18b624675 this is done by packaging {{auth_pam_tool}} already with correct permissions into the rpm. For example, {code:bash} $ rpm -qvlp MariaDB-server-10.5.10-1.el8.x86_64.rpm|grep -w auth_pam_tool ... -rwsr-xr-x 1 root root 12480 May 6 10:29 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool {code} same for Fedoras. But on CentOS 7 it shows {{rwx-r-xr-x}}. Supposedly {{rpmbuild}} strips the SUID bit before packaging the file. |
auth_pam_tool should be suid user, 4777.
Since 9d18b624675 this is done by packaging {{auth_pam_tool}} already with correct permissions into the rpm. For example, {code:bash} $ rpm -qvlp MariaDB-server-10.5.10-1.el8.x86_64.rpm|grep -w auth_pam_tool ... -rwsr-xr-x 1 root root 12480 May 6 10:29 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool {code} same for Fedoras. But on CentOS 7 it shows {{rwxr-xr-x}}. Supposedly {{rpmbuild}} strips the SUID bit before packaging the file. |
| Priority | Major [ 3 ] | Critical [ 2 ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
serg compiled server with cmake 3.14.0 and suid bit is there
fixed by splitting INSTALL(CODE "EXECUTE_PROCESS...") call to the 2 separate calls to set directory and auth_pam_tool permissions separately.
according to EXECUTE_PROCESS doc 2 consequent commands will not be executed one-by-one, but instead stdout of first command will be piped to stdin of second one
| Fix Version/s | 10.5.13 [ 26026 ] | |
| Fix Version/s | 10.5 [ 23123 ] | |
| Fix Version/s | 10.6 [ 24028 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
Unfortunately, it didn't help. Download, for example, http://hasky.askmonty.org/archive/10.5/build-42089/kvm-rpm-centos74-amd64/rpms/MariaDB-server-10.5.13-1.el7.centos.x86_64.rpm and see yourself
| Resolution | Fixed [ 1 ] | |
| Status | Closed [ 6 ] | Stalled [ 10000 ] |
| Fix Version/s | 10.5 [ 23123 ] | |
| Fix Version/s | 10.5.13 [ 26026 ] |
| Fix Version/s | 10.6 [ 24028 ] |
abychko I've added an abychko user to the aidi.askmonty.org server. You can login using one of the same ssh keys you have configured on github
| Fix Version/s | 10.4 [ 22408 ] |
reproduced on centos74-amd64-build image.
actually code running chmod on auth_pam_tool is executed properly.
CPack: - Install component: Server
|
mode of ‘auth_pam_tool_dir’ changed from 0775 (rwxrwxr-x) to 0700 (rwx------)
|
mode of ‘auth_pam_tool_dir/auth_pam_tool’ changed from 0755 (rwxr-xr-x) to 4755 (rwsr-xr-x)
|
it looks like suid bit disappears during debuginfo pkg creation. if CPACK_RPM_DEBUGINFO_PACKAGE is OFF - suid bit is preserved in RPM.
looking for good solution
tested it on different Centos versions, from 7.4 to 7.9 (latest). the result is the same, suid bit is lost if debuginfo is enabled.
the most simple way to solve it is to add chmod call to the %post.
serg does it look reasonable?
Not really. That's what we did before, it was reworked in 9d18b62467 for security reasons.
What's so special in CentOS7, why would it strip suid bit?
kernel drops suid bit on file modification.
[buildbot@centos74-amd64 auth_pam_tool_dir]$ ll
|
-rwsr-xr-x. 1 buildbot buildbot 11264 Aug 25 10:11 auth_pam_tool
|
[buildbot@centos74-amd64 auth_pam_tool_dir]$ cp auth_pam_tool auth_pam_tool2
|
[buildbot@centos74-amd64 auth_pam_tool_dir]$ ll
|
-rwsr-xr-x. 1 buildbot buildbot 11264 Aug 25 10:11 auth_pam_tool
|
-rwxr-xr-x. 1 buildbot buildbot 11264 Aug 25 11:05 auth_pam_tool2 <<<<<<<<<<<<
|
| Assignee | Alexey Bychko [ abychko ] | Sergei Golubchik [ serg ] |
| Fix Version/s | 10.4.22 [ 26031 ] | |
| Fix Version/s | 10.5.13 [ 26026 ] | |
| Fix Version/s | 10.6.5 [ 26034 ] | |
| Fix Version/s | 10.4 [ 22408 ] | |
| Fix Version/s | 10.5 [ 23123 ] | |
| Fix Version/s | 10.6 [ 24028 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Component/s | Platform RedHat [ 11302 ] |
| Component/s | Packaging [ 10700 ] |
| Link |
This issue causes |
| Workflow | MariaDB v3 [ 124324 ] | MariaDB v4 [ 159588 ] |
| Zendesk Related Tickets | 191207 |
cmake 2.8.12.2 (Centos-7 native) works OK.
cmake 3.14 and 3.15 removed suid bit during test build.
need to check if versioned conditions like RPM-DEFAULT is root cause or not