Details
-
Type:
New Feature
-
Status: Open (View Workflow)
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 2.5.15, 6.1.1
-
Fix Version/s: 23.08
-
Component/s: None
-
Labels:None
Description
Since MariaDB 10.4 PAM authentication is not handled by the MariaDB server process itself, but by separate sandbox processes running using suid privilege raising.
This has two advantages:
- potential crashes inside one of the pam_... shared libraries only bring down the sandbox process and not the actual server (
MDEV-15473)
- no permission changes of files like /etc/shadow (has to be readable when using pam_unix.so) are needed, and neither does the server process itself have to run as root (
MDEV-7032)
It would be a good thing to have the same for the PAM implementation on the maxscale side, too.
Attachments
Issue Links
- relates to
-
MDEV-7032 new pam plugin with a suid wrapper
-
- Closed
-
-
MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server
-
- Closed
-