[MDEV-30904] "rpm --setugids" breaks PAM authentication - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5.18, 10.9.4, 10.11.2, 11.0.1, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.10.3
Fix Version/s: 10.4.32, 10.5.23, 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3
Component/s: Plugin - pam
Labels:
None

Description

Our MariaDB-server RPM creates auth_pam_tool_dir with owner root, and only later in the post install hook script change the ownership to the mysql system user.

When running

rpm --setguids MariaDB-server

the directory owner is reset from "mysql" to "root", and with that and the "owner only" permissions of that directory, the auth_pam_tool utility contained by it can no longer be executed by the server, so breaking PAM authentication completely.

Looking at the plugin/auth_pam/CMakeLists.txt file I can see:

   SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}

        "%attr(700,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"

        "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

So the directory permissions are set there, but not the owner. By changing this to

   SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}

        "%attr(700,mysql,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"

        "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

the explicit chmod in the post install hook script should no longer be needed, and "rpm -setugids" should keep the correct ownership intact.

Attachments

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Hartmut Holzgraefe

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023-03-22 19:11

Updated:: 2024-07-07 19:37

Resolved:: 2023-09-07 07:24

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.