Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3753

Implement suid sanboxing for PAM like MariaDB server does

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.5.15, 6.1.1
    • Fix Version/s: 7
    • Component/s: None
    • Labels:
      None

      Description

      Since MariaDB 10.4 PAM authentication is not handled by the MariaDB server process itself, but by separate sandbox processes running using suid privilege raising.

      This has two advantages:

      • potential crashes inside one of the pam_... shared libraries only bring down the sandbox process and not the actual server (MDEV-15473)
      • no permission changes of files like /etc/shadow (has to be readable when using pam_unix.so) are needed, and neither does the server process itself have to run as root (MDEV-7032)

      It would be a good thing to have the same for the PAM implementation on the maxscale side, too.

        Attachments

          Issue Links

          relates to

          Task - A task that needs to be done. MDEV-7032 new pam plugin with a suid wrapper

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

            Activity

              People

              Assignee:
              toddstoffel Todd Stoffel
              Reporter:
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:

                  Git Integration