[MDEV-13769] Autolock with pam_faillock.so failed Created: 2017-09-08  Updated: 2020-08-25  Resolved: 2017-09-20

Status: Closed
Project: MariaDB Server
Component/s: Plugin - pam
Affects Version/s: 10.1, 10.2
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Richard Stracke Assignee: Andrii Nikitin (Inactive)
Resolution: Not a Bug Votes: 1
Labels: None
Environment:

centos 7 via Virtualbox


 Description   

I try to configure an autolock feature for a customer.

If I try to use

Configuration /etc/pam.d/mariadb

 
 
auth required pam_faillock.so deny=3 unlock_time=60
 
auth required pam_unix.so
 
account required pam_faillock.so
 
account required pam_unix.so

The plugin not working.

Is the Pam plugin limited ?

 Comments   
Comment by Andrii Nikitin (Inactive) [ 2017-09-20 ]

I was able to set up faillock both in VM and in docker .
The tricks to consider were:

  • correct syntax according to `man pam_faillock`
  • read permission for mysql OS user to /etc/shadow
  • write permission for mysql OS user to /var/run/faillock or alternative folder configured in pam module
  • monitor content of /var/run/faillock (or other configured folder) - it should change on proper denial configuration
  • I did disable SELinux in VM to make it work

Use Dockerfile and scripts from https://github.com/AndriiNikitin/bugs/tree/master/MDEV-13769 to see demonstration in docker :

$ bash run.sh 
Sending build context to Docker daemon   5.12kB
 
Step 1/6 : FROM centos:7
 
 ---> a8493f5f50ff
 
Step 2/6 : ENV VER 10.2
 
 ---> Using cache
 
 ---> c57d48d12655
 
Step 3/6 : RUN yum install -y m4 git &&   git clone http://github.com/AndriiNikitin/mariadb-environs &&   cd mariadb-environs &&   ./replant.sh m0-system &&   m0-system/install.sh $VER
 
 ---> Using cache
 
 ---> af4ec2813db5
 
Step 4/6 : RUN useradd a &&   echo "a:1"|chpasswd
 
 ---> Running in 67fa16990f6f
 
 ---> 10d2695ba66e
 
Removing intermediate container 67fa16990f6f
 
Step 5/6 : RUN chmod +r /etc/shadow &&   mkdir /faillock &&   chown mysql:mysql /faillock &&   echo "auth     requisite      pam_faillock.so preauth silent even_deny_root unlock_time=60 dir=/faillock" > /etc/pam.d/mtest &&   echo "auth     sufficient     pam_unix.so" >> /etc/pam.d/mtest &&   echo "auth     [default=die]  pam_faillock.so authfail even_deny_root unlock_time=60 dir=/faillock" >> /etc/pam.d/mtest &&   echo "auth     required       pam_deny.so" >> /etc/pam.d/mtest &&   echo "account  required       pam_faillock.so dir=/faillock" >> /etc/pam.d/mtest &&   echo "account  required       pam_unix.so" >> /etc/pam.d/mtest
 
 ---> Running in 28e927302608
 
 ---> aef61dcd9d2a
 
Removing intermediate container 28e927302608
 
Step 6/6 : ENTRYPOINT bash
 
 ---> Running in 6a568a02dbc2
 
 ---> 74a0cf856cea
 
Removing intermediate container 6a568a02dbc2
 
Successfully built 74a0cf856cea
 
Successfully tagged mdev-13769:latest
 
170920 14:06:42 mysqld_safe Logging to '/var/lib/mysql/4088235ccebc.err'.
 
170920 14:06:42 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
 
2017-09-20 14:06:52
 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: NO)
 
^ Successfully denied wrong password
 
2017-09-20 14:06:54
 
^ Correct password still works
 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: NO)
 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: NO)
 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: NO)
 
^ Successfully denied wrong password 3 times
 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: NO)
 
^ Now correct password is denied as well
 
2017-09-20 14:08:03
 
^ Accound is unlocked again

Generated at Thu Feb 08 08:08:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.