Since MariaDB 10.4 PAM authentication is not handled by the MariaDB server process itself, but by separate sandbox processes running using suid privilege raising.
This has two advantages:
- potential crashes inside one of the pam_... shared libraries only bring down the sandbox process and not the actual server (
- no permission changes of files like /etc/shadow (has to be readable when using pam_unix.so) are needed, and neither does the server process itself have to run as root (
It would be a good thing to have the same for the PAM implementation on the maxscale side, too.