Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27341

Use SET PASSWORD to change PAM service

    XMLWordPrintable

Details

    Description

      Set up:

      $ useradd -m testy
      		 
      $ passwd testy
      		 
      New password:
      		 
      Retype new password:
      		 
      passwd: password updated successfully

      On MariaDB:

      MariaDB [(none)]> INSTALL SONAME 'auth_pam';
      		 
      Query OK, 0 rows affected (0.000 sec)
      		 
       
      		 
      MariaDB [(none)]> create user `testy`@`%` identified via PAM using 'm1';
      		 
      Query OK, 0 rows affected (0.005 sec)

      Create files for PAM scripts called M1:
      /etc/pam.d/m1

      auth required pam_unix.so audit
      		 
      account required pam_unix.so audit
      		 
      account required pam_exec.so /etc/pam_scripts/m1.sh

      /etc/pam_scripts/m1.sh

      #!/bin/sh
      		 
      echo "m1" >> /var/log/mariadb-auth
      		 
      exit 0

      Create files for PAM scripts called M2:
      /etc/pam.d/m2

      auth required pam_unix.so audit
      		 
      account required pam_unix.so audit
      		 
      account required pam_exec.so /etc/pam_scripts/m2.sh

      /etc/pam_scripts/m2.sh

      #!/bin/sh
      		 
      echo "m2" >> /var/log/mariadb-auth
      		 
      exit 0

      Example of changing PAM scripts from m1 to m2 with set password command:

      $ mariadb -u testy -s
      		 
      [mariadb] Password:
      		 
      MariaDB [(none)]> set password='m2';
      		 
      MariaDB [(none)]> exit
      		 
      $ mariadb -u testy -s
      		 
      [mariadb] Password:
      		 
      MariaDB [(none)]> exit

      Now check the log, and you will see that both M1 and M2 have been used for this:

      $ cat /var/log/mariadb-auth
      		 
      m1
      		 
      m2

      A user can bypass PAM scripts and still login by setting password to something that does not exist.

      Query to review before and after SET PASSWORD command:

      select * from mysql.global_priv where user = 'testy';

      Attachments

        Activity

          People

            serg Sergei Golubchik
            edward Edward Stoever
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.