Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.5.18, 10.9.4, 10.11.2, 11.0.1, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.10.3
-
None
Description
Our MariaDB-server RPM creates auth_pam_tool_dir with owner root, and only later in the post install hook script change the ownership to the mysql system user.
When running
rpm --setguids MariaDB-server
the directory owner is reset from "mysql" to "root", and with that and the "owner only" permissions of that directory, the auth_pam_tool utility contained by it can no longer be executed by the server, so breaking PAM authentication completely.
Looking at the plugin/auth_pam/CMakeLists.txt file I can see:
SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
|
"%attr(700,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
|
"%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")
|
So the directory permissions are set there, but not the owner. By changing this to
SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
|
"%attr(700,mysql,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
|
"%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")
|
the explicit chmod in the post install hook script should no longer be needed, and "rpm -setugids" should keep the correct ownership intact.
Attachments
Activity
the commit that added chown to postin scriptlet, says
commit 9d18b624675
|
Author: Sergei Golubchik <serg@mariadb.org>
|
Date: Wed Jan 15 18:08:02 2020 +0100
|
|
|
rpm/deb and auth_pam_tool_dir/auth_pam_tool
|
|
don't let mysql_install_db set SUID bit for auth_pam_tool in rpm/deb
|
packages - instead package files with correct permissions and
|
only fix the ownership of auth_pam_tool_dir (which can only be done
|
after mysql user is created, so in post-install).
|
Is it wrong? Can you still use %attr(700,mysql,-) ?
I thought I had that tested, but after double checking on a fresh Rocky8 VM with no "mysql" user in /etc/passwd yet I'm indeed still getting the "auth_pam_tool_dir" owned by "root", not "mysql". Running rpm --setugids MariaDB-server then fixes that. So my patch was active, but failed for not having the user added yet at the time this information is used during RPM install.
Looking at our sources I can see useradd mysql being done in the post install script, yet checking the Fedora guidelines this should happen in the pre install script instead, which would also solve our problem here:
https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Dynamic_allocation
Looking at the debian side there we're indeed adding the "mysql" user in the pre inst hook already.
hholzgra, do you want to check the fix before it's pushed?
Take it from https://buildbot.mariadb.net/archive/pack/bb-10.4-all-builders/
Affected versions determined by checking that respective versions support-files/rpm/server-postin.sh contains a chown for auth_pam_tool_dir