Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27341

Use SET PASSWORD to change PAM service

    XMLWordPrintable

    Details

      Description

      Set up:

      $ useradd -m testy
      $ passwd testy
      New password:
      Retype new password:
      passwd: password updated successfully
      

      On MariaDB:

      MariaDB [(none)]> INSTALL SONAME 'auth_pam';
      Query OK, 0 rows affected (0.000 sec)
       
      MariaDB [(none)]> create user `testy`@`%` identified via PAM using 'm1';
      Query OK, 0 rows affected (0.005 sec)
      

      Create files for PAM scripts called M1:
      /etc/pam.d/m1

      auth required pam_unix.so audit
      account required pam_unix.so audit
      account required pam_exec.so /etc/pam_scripts/m1.sh
      

      /etc/pam_scripts/m1.sh

      #!/bin/sh
      echo "m1" >> /var/log/mariadb-auth
      exit 0
      

      Create files for PAM scripts called M2:
      /etc/pam.d/m2

      auth required pam_unix.so audit
      account required pam_unix.so audit
      account required pam_exec.so /etc/pam_scripts/m2.sh
      

      /etc/pam_scripts/m2.sh

      #!/bin/sh
      echo "m2" >> /var/log/mariadb-auth
      exit 0
      

      Example of changing PAM scripts from m1 to m2 with set password command:

      $ mariadb -u testy -s
      [mariadb] Password:
      MariaDB [(none)]> set password='m2';
      MariaDB [(none)]> exit
      $ mariadb -u testy -s
      [mariadb] Password:
      MariaDB [(none)]> exit
      

      Now check the log, and you will see that both M1 and M2 have been used for this:

      $ cat /var/log/mariadb-auth
      m1
      m2
      

      A user can bypass PAM scripts and still login by setting password to something that does not exist.

      Query to review before and after SET PASSWORD command:

      select * from mysql.global_priv where user = 'testy';
      

        Attachments

          Activity

            People

            Assignee:
            serg Sergei Golubchik
            Reporter:
            edward Edward Stoever
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.