[MDEV-22459] pam v2 should log an error if auth_pam_tool exec fails Created: 2020-05-04  Updated: 2020-08-25  Resolved: 2020-05-08

Status: Closed
Project: MariaDB Server
Component/s: Plugin - pam
Affects Version/s: 10.4.12, 10.5.2
Fix Version/s: 10.5.4, 10.4.14

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Problem/Incident
is caused by MDEV-7032 new pam plugin with a suid wrapper Closed
is caused by MDEV-15473 Isolate/sandbox PAM modules, so that ... Closed
Relates
relates to MDEV-19876 pam v2: auth_pam_tool_dir and auth_pa... Closed
relates to MDEV-20205 mysql_install_db shouldn't execute chown Closed
relates to MDEV-22482 pam v2: mysql_upgrade doesn't fix the... Open

 Description   

Version 2 of the pam authentication plugin executes a tool called auth_pam_tool. This happens here:

    memcpy(toolpath, opt_plugin_dir, plugin_dir_len);
 
    if (plugin_dir_len && toolpath[plugin_dir_len-1] != FN_LIBCHAR)
 
      toolpath[plugin_dir_len++]= FN_LIBCHAR;
 
    memcpy(toolpath+plugin_dir_len, tool_name, tool_name_len+1);
 
 
 
    PAM_DEBUG((stderr, "PAM: execute pam sandbox [%s].\n", toolpath));
 
    (void) execl(toolpath, toolpath, NULL);
 
    PAM_DEBUG((stderr, "PAM: exec() failed.\n"));
 
    exit(-1);

https://github.com/MariaDB/server/blob/mariadb-10.4.12/plugin/auth_pam/auth_pam.c#L85

Currently, if the execution of this tool fails, then nothing is logged.

If you are using a debug build of the plugin and if pam_debug is enabled, then you do get an error message, but it is still not optimal.

I think we need to make the following changes:

  • An error message should be printed in both release builds and debug builds.
  • The error message should not depend on pam_debug.
  • The error message should contain the errno and/or strerror(errno) for the specific error.
Generated at Thu Feb 08 09:14:53 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.