Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7032

new pam plugin with a suid wrapper

    XMLWordPrintable

Details

    • 10.4.0-1

    Description

      PAM authentication in many cases only works if done by the root user or the user that is authenticating itself.

      For example, to read /etc/shadow one has to be root. unix_chkpwd wrapper, created specifically to loosen this requirement, checks that user name matches the current UID. Google-authenticator PAM module reads the data from ~user/ home directory — again, can be only done as root or that user. And so on.

      A solution to all these problems could be a small setuid wrapper that pam plugin invokes. Perhaps this wrapper should check that it is invoked as mysql user…

      Attachments

        Issue Links

          blocks

          Task - A task that needs to be done. MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19876 pam v2: auth_pam_tool_dir and auth_pam_tool permissions are wrong in RPMs

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-19877 pam v2: auth_pam_tool input format is not user friendly for debugging

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19878 pam v2: pam password authentication doesn't work at all

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19880 pam v1: pam password authentication doesn't work at all in MariaDB 10.4

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19881 pam plugin from MariaDB 10.3 doesn't work with MariaDB 10.4

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19882 pam v2: auth_pam_tool truncates passwords that are not null-terminated

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21385 PAM v2 plugin produces lots of zombie processes

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22459 pam v2 should log an error if auth_pam_tool exec fails

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22482 pam v2: mysql_upgrade doesn't fix the ownership/privileges of auth_pam_tool

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MXS-2633 Pam authentication doesn't work with server 10.4

          • Major - Major loss of function.
          • Closed
          includes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-14838 PAM authentication requires mysql user to be in the shadow group

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16813 Document PAM updates

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MDEV-18311 Change default PAM service name to mariadb

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MXS-3753 Add option to run PAM authentication in a suid sanbox

          • Major - Major loss of function.
          • Closed

          Activity

            People

              holyfoot Alexey Botchkov
              serg Sergei Golubchik
              Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.