Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.5, 10.6, 10.2(EOL), 10.3(EOL), 10.4(EOL)
-
None
Description
Set up:
$ useradd -m testy
|
$ passwd testy
|
New password:
|
Retype new password:
|
passwd: password updated successfully
|
On MariaDB:
MariaDB [(none)]> INSTALL SONAME 'auth_pam';
|
Query OK, 0 rows affected (0.000 sec)
|
 |
MariaDB [(none)]> create user `testy`@`%` identified via PAM using 'm1';
|
Query OK, 0 rows affected (0.005 sec)
|
Create files for PAM scripts called M1:
/etc/pam.d/m1
auth required pam_unix.so audit
|
account required pam_unix.so audit
|
account required pam_exec.so /etc/pam_scripts/m1.sh
|
/etc/pam_scripts/m1.sh
#!/bin/sh
|
echo "m1" >> /var/log/mariadb-auth
|
exit 0
|
Create files for PAM scripts called M2:
/etc/pam.d/m2
auth required pam_unix.so audit
|
account required pam_unix.so audit
|
account required pam_exec.so /etc/pam_scripts/m2.sh
|
/etc/pam_scripts/m2.sh
#!/bin/sh
|
echo "m2" >> /var/log/mariadb-auth
|
exit 0
|
Example of changing PAM scripts from m1 to m2 with set password command:
$ mariadb -u testy -s
|
[mariadb] Password:
|
MariaDB [(none)]> set password='m2';
|
MariaDB [(none)]> exit
|
$ mariadb -u testy -s
|
[mariadb] Password:
|
MariaDB [(none)]> exit
|
Now check the log, and you will see that both M1 and M2 have been used for this:
$ cat /var/log/mariadb-auth
|
m1
|
m2
|
A user can bypass PAM scripts and still login by setting password to something that does not exist.
Query to review before and after SET PASSWORD command:
select * from mysql.global_priv where user = 'testy';
|