[MDEV-15473] Isolate/sandbox PAM modules, so that they can't crash the server Created: 2018-03-05  Updated: 2021-09-01  Resolved: 2018-07-14

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Plugin - pam
Fix Version/s: 10.4.0

Type: Task Priority: Critical
Reporter: Geoff Montee (Inactive) Assignee: Alexey Botchkov
Resolution: Fixed Votes: 5
Labels: None

Issue Links:
Blocks
is blocked by MDEV-7032 new pam plugin with a suid wrapper Closed
Problem/Incident
causes MDEV-19876 pam v2: auth_pam_tool_dir and auth_pa... Closed
causes MDEV-19877 pam v2: auth_pam_tool input format is... Open
causes MDEV-19878 pam v2: pam password authentication d... Closed
causes MDEV-19880 pam v1: pam password authentication d... Closed
causes MDEV-19881 pam plugin from MariaDB 10.3 doesn't ... Open
causes MDEV-19882 pam v2: auth_pam_tool truncates passw... Closed
causes MDEV-21385 PAM v2 plugin produces lots of zombie... Closed
causes MDEV-22459 pam v2 should log an error if auth_pa... Closed
causes MDEV-22482 pam v2: mysql_upgrade doesn't fix the... Open
causes MXS-2633 Pam authentication doesn't work with ... Closed
Relates
relates to MDEV-16813 Document PAM updates Open
relates to MDEV-18311 Change default PAM service name to ma... Open
relates to MXS-3753 Add option to run PAM authentication ... Closed
relates to MDEV-10361 auth_pam + RSA SecurID PAM module + S... Closed
Sprint: 10.4.0-1

 Description   

Buggy PAM modules can currently crash the server. See MDEV-10361 for example. Should auth_pam isolate PAM modules somehow to prevent problems like this from taking down the whole server? Is it feasible for auth_pam to use sandboxes for PAM modules, or would that cripple performance and slow down authentication too much?

 Comments   
Comment by Ralf Gebhardt [ 2018-03-28 ]

serg If I understand this correctly, the server is crashing. From my point of view this should be a bug, do you agree?

Comment by Sergei Golubchik [ 2018-03-28 ]

No, this is not a bug. Everything works as designed. By design, a plugin is executed in the server address space, in the server process. So if the plugin crashes, it is expected that it will take the whole server with it.

It is possible, of course, to redesign the plugin architecture and execute plugins in a sandbox. But this will be by no means a bug fix.

Comment by Ralf Gebhardt [ 2018-04-09 ]

By getting MDEV-7032 done, the Server should not crash in this cases anymore

Comment by Alexey Botchkov [ 2018-06-04 ]

http://lists.askmonty.org/pipermail/commits/2018-June/012595.html

Short description -
structurally i added the auth_pam_safe.so and auth_pam_tool modules.
The 'so' provides the same interface as the auth_pam.so, just is crash-safe. The auth_pam_tool is the 'sandbox' applicatin that does the PAM calls.
Part of the auth_pam.c was moved to the auth_pam_base.c to be included into auth_pam.c and auth_pam_toll.c.

I didn't add tests here intentionally - would like to agree the overall design first.

Comment by Alexey Botchkov [ 2018-07-01 ]

http://lists.askmonty.org/pipermail/commits/2018-July/012669.html

Comment by Alexey Botchkov [ 2018-07-03 ]

Final patch.
http://lists.askmonty.org/pipermail/commits/2018-July/012672.html

Comment by Sergei Golubchik [ 2018-07-03 ]

still need to check that filesystem permissions on the new directory is set correctly

and minor cleanup in tests.

Comment by Alexey Botchkov [ 2018-07-05 ]

http://lists.askmonty.org/pipermail/commits/2018-July/012680.html

Comment by Alexey Botchkov [ 2018-07-09 ]

http://lists.askmonty.org/pipermail/commits/2018-July/012691.html

Comment by Alexey Botchkov [ 2018-07-09 ]

http://lists.askmonty.org/pipermail/commits/2018-July/012692.html

Comment by Alexey Botchkov [ 2018-07-14 ]

http://lists.askmonty.org/pipermail/commits/2018-July/012698.html

Generated at Thu Feb 08 08:21:35 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.