Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3753

Add option to run PAM authentication in a suid sanbox

    XMLWordPrintable

Details

    • MXS-SPRINT-185, MXS-SPRINT-186, MXS-SPRINT-187, MXS-SPRINT-188, MXS-SPRINT-189, MXS-SPRINT-190

    Description

      Since MariaDB 10.4 PAM authentication is not handled by the MariaDB server process itself, but by separate sandbox processes running using suid privilege raising.

      This has two advantages:

      • potential crashes inside one of the pam_... shared libraries only bring down the sandbox process and not the actual server (MDEV-15473)
      • no permission changes of files like /etc/shadow (has to be readable when using pam_unix.so) are needed, and neither does the server process itself have to run as root (MDEV-7032)

      It would be a good thing to have the same for the PAM implementation on the maxscale side, too.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-7032 new pam plugin with a suid wrapper

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              esa.korhonen Esa Korhonen
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.