Our MariaDB-server RPM creates auth_pam_tool_dir with owner root, and only later in the post install hook script change the ownership to the mysql system user.

When running

rpm --setguids MariaDB-server

the directory owner is reset from "mysql" to "root", and with that and the "owner only" permissions of that directory, the auth_pam_tool utility contained by it can no longer be executed by the server, so breaking PAM authentication completely.

Looking at the plugin/auth_pam/CMakeLists.txt file I can see:

   SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}

        "%attr(700,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"

        "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

So the directory permissions are set there, but not the owner. By changing this to

   SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}

        "%attr(700,mysql,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"

        "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

the explicit chmod in the post install hook script should no longer be needed, and "rpm -setugids" should keep the correct ownership intact.