[MDEV-19876] pam v2: auth_pam_tool_dir and auth_pam_tool permissions are wrong in RPMs Created: 2019-06-26  Updated: 2022-02-15  Resolved: 2019-07-24

Status: Closed
Project: MariaDB Server
Component/s: Packaging, Plugin - pam
Affects Version/s: 10.4.6
Fix Version/s: 10.4.7

Type: Bug Priority: Critical
Reporter: Geoff Montee (Inactive) Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Blocks
Problem/Incident
causes MDEV-20205 mysql_install_db shouldn't execute chown Closed
is caused by MDEV-7032 new pam plugin with a suid wrapper Closed
is caused by MDEV-15473 Isolate/sandbox PAM modules, so that ... Closed
Relates
relates to MDEV-19850 per-plugin install/uninstall scriptlets Stalled
relates to MDEV-19877 pam v2: auth_pam_tool input format is... Open
relates to MDEV-19878 pam v2: pam password authentication d... Closed
relates to MDEV-19879 server can send empty error message t... Closed
relates to MDEV-19880 pam v1: pam password authentication d... Closed
relates to MDEV-19881 pam plugin from MariaDB 10.3 doesn't ... Open
relates to MDEV-19807 MariaDB client plugin path is wrong Closed
relates to MDEV-19882 pam v2: auth_pam_tool truncates passw... Closed
relates to MDEV-19898 PAM plugin testing Stalled
relates to MDEV-22459 pam v2 should log an error if auth_pa... Closed
relates to MDEV-22482 pam v2: mysql_upgrade doesn't fix the... Open

 Description   

The permissions of auth_pam_tool_dir and auth_pam_tool are wrong in MariaDB 10.4. These are used by version 2 of the pam plugin.

If you run mysqld with strace, then you can see the failure. For example, start mysqld:

mkdir strace
 
sudo strace -o ./strace/mysqld_strace.log -ff /usr/sbin/mysqld --user=mysql --datadir=/var/lib/mysql &

And then try to authenticate as an account that uses pam v2 (while using the workaround for MDEV-19807):

$ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin
 
ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)

The strace output shows why this failed:

./strace/mysqld_strace.log.4451:execve("/usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool", ["/usr/lib64/mysql/plugin/auth_pam"...], [/* 17 vars */]) = -1 EACCES (Permission denied)

The problem seems to be with the permissions of the /usr/lib64/mysql/plugin/auth_pam_tool_dir/ directory:

$ sudo ls -ld /usr/lib64/mysql/plugin/auth_pam_tool_dir/
 
drwx------. 2 root root 27 Jun 22 02:43 /usr/lib64/mysql/plugin/auth_pam_tool_dir/

You can workaround this by executing the following:

sudo chmod 0755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/

It looks like permissions of auth_pam_tool are also wrong:

$ sudo ls -l /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
 
-rwxr-xr-x. 1 root root 11248 Jun 17 23:57 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

To workaround this, you need to add the setuid bit:

sudo chmod 4755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool



 Comments   
Comment by Geoff Montee (Inactive) [ 2019-07-09 ]

I tested out the fix for this using tarbuildnum #27339 from hasky for RHEL 7:

http://buildbot.askmonty.org/buildbot/builders/kvm-rpm-centos74-amd64/builds/8839

http://hasky.askmonty.org/archive/10.4/build-27339/kvm-rpm-centos74-amd64/rpms/

This issue is not fixed.

The associated commits added some code to mysql_install_db, so that the mysql_install_db will chown/chmod auth_pam_tool_dir and auth_pam_tool, so that the directory and executable have the correct owner and perrmissions.

But there is a problem with this fix. This fix still leads to failures when:

1.) Upgrading an existing installation. In this case, 10.4's mysql_install_db is never executed to begin with, so the owner and permissions will never be changed.

2.) Upgrading from one 10.4 release to another 10.4 release using RPMs. In this case, the existing auth_pam_tool_dir and auth_pam_tool will be replaced by the contents of the new RPM, so the chown/chmod that was previously done by mysql_install_db will be undone.

The root cause of the problem is that these files do not have the correct owner and privileges in the RPM itself. See here:

$ sudo rpm -qplv MariaDB-server-10.4.7-1.el7.centos.x86_64.rpm | grep auth_pam
 
-rwxr-xr-x    1 root    root                    11672 Jul  8 13:34 /usr/lib64/mysql/plugin/auth_pam.so
 
drwx------    2 root    root                        0 Jul  8 13:32 /usr/lib64/mysql/plugin/auth_pam_tool_dir
 
-rwxr-xr-x    1 root    root                    11248 Jul  8 13:34 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
 
-rwxr-xr-x    1 root    root                    11664 Jul  8 13:34 /usr/lib64/mysql/plugin/auth_pam_v1.so

This issue will not be fixed until the files have the proper owner and permissions in the RPM. Otherwise, any owner and privileges changes will just be undone anytime the server RPM is upgraded, and the files are replaced.

If we can't figure out how to fix the owner and permissions in the RPM itself, then we may also be able to fix them in the RPM's postin script:

https://github.com/MariaDB/server/blob/mariadb-10.4.6/support-files/rpm/server-postin.sh

Comment by Sergei Golubchik [ 2019-07-09 ]

This seems to be version specific

In centos7 auth_pam_tool is indeed not suid root in the rpm, in centos6, rhel6, fedoras, suse — everywhere else it is suid inside the rpm

Comment by Sergei Golubchik [ 2019-07-10 ]

It's a bug in rpm-build. In particular, see https://github.com/rpm-software-management/rpm/blob/rpm-4.16.1.3/tools/sepdebugcrcfix.c#L360

This line is there at least as of version 4.12.90.

CentOS7 (even after yum upgrade rpm-build) has 4.11.3-35, which does not have that line.

I suppose our only option for now is to fix privileges in a postin scriptlet.

Comment by pgnd [ 2021-04-24 ]

serg GeoffMontee

has this been fixed/resolved for general use in downstream packaging?

I'm seeing the following with 10.5.9 rpm pkgs on Fedora 33; unclear whether this is (still) an MDB issue, or simply packaging.

[EDIT: It appears to be an issue @RH, and I suspect therefore @Fedora.

Bug 1936842 - mariadb:10.5/mariadb: Review permissions of auth_pam_tool and auth_pam_tool_dir
https://bugzilla.redhat.com/show_bug.cgi?id=1936842
]

on a clean install of

	grep PRETTY /etc/os-release
 
		PRETTY_NAME="Fedora 33 (Thirty Three)"

distro-pkg installed

	mysqld --version
 
		mysqld  Ver 10.5.9-MariaDB for Linux on x86_64 (MariaDB Server)

clean installing

	rm -rf /home/dev/data/mariadb
 
	/usr/bin/mysql_install_db \
 
	--user=mysql \
 
	--defaults-file=/usr/local/etc/mariadb/my.cnf \
 
	--auth-root-authentication-method=socket \
 
	--datadir=/home/dev/data/mariadb \
 
	--skip-test-db

reports

	chown: cannot access '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool': No such file or directory
 
	Couldn't set an owner to '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool'.
 
	It must be root, the PAM authentication plugin doesn't work otherwise..
 
 
 
	Installing MariaDB/MySQL system tables in '/home/dev/data/mariadb' ...
 
	OK
 
	...

referencing

MDEV-19876
https://seclists.org/oss-sec/2020/q1/57

checking

	ls -ald /usr/lib64/mariadb/plugin/auth_pam_tool_dir
 
		drwx------ 2 mysql mysql 4.0K Apr 24 19:01 /usr/lib64/mariadb/plugin/auth_pam_tool_dir/

exec'ing, per above (MDEV-19876)

	systemctl stop mariadb
 
	chmod 0755 /usr/lib64/mariadb/plugin/auth_pam_tool_dir/

but

	ls -al /usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool
 
		ls: cannot access '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool': No such file or directory

so, of course,

	chmod 4755 /usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool
 
		chmod: cannot access '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool': No such file or directory

with just the available change, simply repeating the install

	rm -rf /home/dev/data/mariadb
 
	/usr/bin/mysql_install_db \
 
	--user=mysql \
 
	--defaults-file=/usr/local/etc/mariadb/my.cnf \
 
	--auth-root-authentication-method=socket \
 
	--datadir=/home/dev/data/mariadb \
 
	--skip-test-db

still reports

	chown: cannot access '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool': No such file or directory
 
	Couldn't set an owner to '/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool'.
 
	It must be root, the PAM authentication plugin doesn't work otherwise..
 
 
 
	Installing MariaDB/MySQL system tables in '/home/dev/data/mariadb' ...
 
	OK
 
	...

Comment by Luke (Inactive) [ 2022-02-15 ]

pgnd, I checked Mariadb Enterprise version 10.5.9 and 10.7.3 community from the repo for centos7.

I believe you're getting those errors because the directories are:
/usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

not

/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool

Generated at Thu Feb 08 08:55:02 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.