Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30904

"rpm --setugids" breaks PAM authentication

Details

    Description

      Our MariaDB-server RPM creates auth_pam_tool_dir with owner root, and only later in the post install hook script change the ownership to the mysql system user.

      When running

      rpm --setguids MariaDB-server

      the directory owner is reset from "mysql" to "root", and with that and the "owner only" permissions of that directory, the auth_pam_tool utility contained by it can no longer be executed by the server, so breaking PAM authentication completely.

      Looking at the plugin/auth_pam/CMakeLists.txt file I can see:

         SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
      		 
              "%attr(700,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
      		 
              "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

      So the directory permissions are set there, but not the owner. By changing this to

         SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
      		 
              "%attr(700,mysql,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
      		 
              "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

      the explicit chmod in the post install hook script should no longer be needed, and "rpm -setugids" should keep the correct ownership intact.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          hholzgra Hartmut Holzgraefe created issue -
          julien.fritsch Julien Fritsch made changes -
          Field Original Value New Value
          Fix Version/s 10.4 [ 22408 ]
          Fix Version/s 10.5 [ 23123 ]
          Fix Version/s 10.6 [ 24028 ]
          Fix Version/s 10.3 [ 22126 ]
          serg Sergei Golubchik made changes -
          Assignee Julien Fritsch [ julien.fritsch ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.3 [ 22126 ]
          Fix Version/s 10.4 [ 22408 ]
          Fix Version/s 10.6 [ 24028 ]
          julien.fritsch Julien Fritsch made changes -
          Assignee Julien Fritsch [ julien.fritsch ] Sergei Golubchik [ serg ]
          hholzgra Hartmut Holzgraefe made changes -
          Affects Version/s 10.10.3 [ 28521 ]
          Affects Version/s 10.8.7 [ 28517 ]
          Affects Version/s 10.7.8 [ 28515 ]
          Affects Version/s 10.6.12 [ 28513 ]
          Affects Version/s 10.5.19 [ 28511 ]
          Affects Version/s 10.9.4 [ 28444 ]
          Affects Version/s 11.0.1 [ 28548 ]
          Affects Version/s 10.11.2 [ 28523 ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.9 [ 26905 ]
          Fix Version/s 10.11 [ 27614 ]
          Fix Version/s 11.0 [ 28320 ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.6 [ 24028 ]
          Fix Version/s 10.7 [ 24805 ]
          Fix Version/s 10.8 [ 26121 ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.7 [ 24805 ]
          julien.fritsch Julien Fritsch made changes -
          Fix Version/s 10.8 [ 26121 ]
          serg Sergei Golubchik made changes -
          Status Open [ 1 ] Needs Feedback [ 10501 ]
          julien.fritsch Julien Fritsch made changes -
          Priority Major [ 3 ] Critical [ 2 ]
          serg Sergei Golubchik made changes -
          Status Needs Feedback [ 10501 ] Open [ 1 ]
          serg Sergei Golubchik made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          serg Sergei Golubchik made changes -
          Status In Progress [ 3 ] Stalled [ 10000 ]
          serg Sergei Golubchik made changes -
          Status Stalled [ 10000 ] In Testing [ 10301 ]
          serg Sergei Golubchik made changes -
          Fix Version/s 10.4 [ 22408 ]
          serg Sergei Golubchik made changes -
          Fix Version/s 10.4.32 [ 29300 ]
          Fix Version/s 10.5.23 [ 29012 ]
          Fix Version/s 10.6.16 [ 29014 ]
          Fix Version/s 10.10.7 [ 29018 ]
          Fix Version/s 10.11.6 [ 29020 ]
          Fix Version/s 11.0.4 [ 29021 ]
          Fix Version/s 11.1.3 [ 29023 ]
          Fix Version/s 10.4 [ 22408 ]
          Fix Version/s 10.5 [ 23123 ]
          Fix Version/s 10.6 [ 24028 ]
          Fix Version/s 10.9 [ 26905 ]
          Fix Version/s 10.11 [ 27614 ]
          Fix Version/s 11.0 [ 28320 ]
          Resolution Fixed [ 1 ]
          Status In Testing [ 10301 ] Closed [ 6 ]
          mariadb-jira-automation Jira Automation (IT) made changes -
          Zendesk Related Tickets 120348

          People

            serg Sergei Golubchik
            hholzgra Hartmut Holzgraefe
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.