Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30904

"rpm --setugids" breaks PAM authentication

Details

    Description

      Our MariaDB-server RPM creates auth_pam_tool_dir with owner root, and only later in the post install hook script change the ownership to the mysql system user.

      When running

      rpm --setguids MariaDB-server

      the directory owner is reset from "mysql" to "root", and with that and the "owner only" permissions of that directory, the auth_pam_tool utility contained by it can no longer be executed by the server, so breaking PAM authentication completely.

      Looking at the plugin/auth_pam/CMakeLists.txt file I can see:

         SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
      		 
              "%attr(700,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
      		 
              "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

      So the directory permissions are set there, but not the owner. By changing this to

         SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
      		 
              "%attr(700,mysql,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
      		 
              "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

      the explicit chmod in the post install hook script should no longer be needed, and "rpm -setugids" should keep the correct ownership intact.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          hholzgra Hartmut Holzgraefe created issue -
          julien.fritsch Julien Fritsch made changes -
          Field Original Value New Value
          Fix Version/s 10.4 [ 22408 ]
          Fix Version/s 10.5 [ 23123 ]
          Fix Version/s 10.6 [ 24028 ]
          Fix Version/s 10.3 [ 22126 ]
          serg Sergei Golubchik made changes -
          Assignee Julien Fritsch [ julien.fritsch ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.3 [ 22126 ]
          Fix Version/s 10.4 [ 22408 ]
          Fix Version/s 10.6 [ 24028 ]
          julien.fritsch Julien Fritsch made changes -
          Assignee Julien Fritsch [ julien.fritsch ] Sergei Golubchik [ serg ]
          hholzgra Hartmut Holzgraefe added a comment -

          Affected versions determined by checking that respective versions support-files/rpm/server-postin.sh contains a chown for auth_pam_tool_dir

          hholzgra Hartmut Holzgraefe added a comment - Affected versions determined by checking that respective versions support-files/rpm/server-postin.sh contains a chown for auth_pam_tool_dir
          hholzgra Hartmut Holzgraefe made changes -
          Affects Version/s 10.10.3 [ 28521 ]
          Affects Version/s 10.8.7 [ 28517 ]
          Affects Version/s 10.7.8 [ 28515 ]
          Affects Version/s 10.6.12 [ 28513 ]
          Affects Version/s 10.5.19 [ 28511 ]
          Affects Version/s 10.9.4 [ 28444 ]
          Affects Version/s 11.0.1 [ 28548 ]
          Affects Version/s 10.11.2 [ 28523 ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.9 [ 26905 ]
          Fix Version/s 10.11 [ 27614 ]
          Fix Version/s 11.0 [ 28320 ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.6 [ 24028 ]
          Fix Version/s 10.7 [ 24805 ]
          Fix Version/s 10.8 [ 26121 ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.7 [ 24805 ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.8 [ 26121 ]
          serg Sergei Golubchik added a comment -

          the commit that added chown to postin scriptlet, says

          commit 9d18b624675
          		 
          Author: Sergei Golubchik <serg@mariadb.org>
          		 
          Date:   Wed Jan 15 18:08:02 2020 +0100
          		 
           
          		 
              rpm/deb and auth_pam_tool_dir/auth_pam_tool
          		 
              
              don't let mysql_install_db set SUID bit for auth_pam_tool in rpm/deb
          		 
              packages - instead package files with correct permissions and
          		 
              only fix the ownership of auth_pam_tool_dir (which can only be done
          		 
              after mysql user is created, so in post-install).

          Is it wrong? Can you still use %attr(700,mysql,-) ?

          serg Sergei Golubchik added a comment - the commit that added chown to postin scriptlet, says commit 9d18b624675 Author: Sergei Golubchik <serg@mariadb.org> Date: Wed Jan 15 18:08:02 2020 +0100   rpm/deb and auth_pam_tool_dir/auth_pam_tool don't let mysql_install_db set SUID bit for auth_pam_tool in rpm/deb packages - instead package files with correct permissions and only fix the ownership of auth_pam_tool_dir (which can only be done after mysql user is created, so in post-install). Is it wrong? Can you still use %attr(700,mysql,-) ?
          serg Sergei Golubchik made changes -
          Status Open [ 1 ] Needs Feedback [ 10501 ]
          hholzgra Hartmut Holzgraefe added a comment -

          I thought I had that tested, but after double checking on a fresh Rocky8 VM with no "mysql" user in /etc/passwd yet I'm indeed still getting the "auth_pam_tool_dir" owned by "root", not "mysql". Running rpm --setugids MariaDB-server then fixes that. So my patch was active, but failed for not having the user added yet at the time this information is used during RPM install.

          Looking at our sources I can see useradd mysql being done in the post install script, yet checking the Fedora guidelines this should happen in the pre install script instead, which would also solve our problem here:

          https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Dynamic_allocation

          hholzgra Hartmut Holzgraefe added a comment - I thought I had that tested, but after double checking on a fresh Rocky8 VM with no "mysql" user in /etc/passwd yet I'm indeed still getting the "auth_pam_tool_dir" owned by "root", not "mysql". Running rpm --setugids MariaDB-server then fixes that. So my patch was active, but failed for not having the user added yet at the time this information is used during RPM install. Looking at our sources I can see useradd mysql being done in the post install script, yet checking the Fedora guidelines this should happen in the pre install script instead, which would also solve our problem here: https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Dynamic_allocation
          hholzgra Hartmut Holzgraefe added a comment -

          Looking at the debian side there we're indeed adding the "mysql" user in the pre inst hook already.

          hholzgra Hartmut Holzgraefe added a comment - Looking at the debian side there we're indeed adding the "mysql" user in the pre inst hook already.
          julien.fritsch Julien Fritsch made changes -
          Priority Major [ 3 ] Critical [ 2 ]
          serg Sergei Golubchik made changes -
          Status Needs Feedback [ 10501 ] Open [ 1 ]
          serg Sergei Golubchik made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          serg Sergei Golubchik made changes -
          Status In Progress [ 3 ] Stalled [ 10000 ]
          serg Sergei Golubchik made changes -
          Status Stalled [ 10000 ] In Testing [ 10301 ]
          serg Sergei Golubchik added a comment -

          hholzgra, do you want to check the fix before it's pushed?
          Take it from https://buildbot.mariadb.net/archive/pack/bb-10.4-all-builders/

          serg Sergei Golubchik added a comment - hholzgra , do you want to check the fix before it's pushed? Take it from https://buildbot.mariadb.net/archive/pack/bb-10.4-all-builders/
          serg Sergei Golubchik made changes -
          Fix Version/s 10.4 [ 22408 ]
          serg Sergei Golubchik made changes -
          Fix Version/s 10.4.32 [ 29300 ]
          Fix Version/s 10.5.23 [ 29012 ]
          Fix Version/s 10.6.16 [ 29014 ]
          Fix Version/s 10.10.7 [ 29018 ]
          Fix Version/s 10.11.6 [ 29020 ]
          Fix Version/s 11.0.4 [ 29021 ]
          Fix Version/s 11.1.3 [ 29023 ]
          Fix Version/s 10.4 [ 22408 ]
          Fix Version/s 10.5 [ 23123 ]
          Fix Version/s 10.6 [ 24028 ]
          Fix Version/s 10.9 [ 26905 ]
          Fix Version/s 10.11 [ 27614 ]
          Fix Version/s 11.0 [ 28320 ]
          Resolution Fixed [ 1 ]
          Status In Testing [ 10301 ] Closed [ 6 ]
          mariadb-jira-automation Jira Automation (IT) made changes -
          Zendesk Related Tickets 120348

          People

            serg Sergei Golubchik
            hholzgra Hartmut Holzgraefe
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.