[MDEV-22482] pam v2: mysql_upgrade doesn't fix the ownership/privileges of auth_pam_tool Created: 2020-05-06  Updated: 2021-01-09

Status: Open
Project: MariaDB Server
Component/s: Plugin - pam, Upgrades
Affects Version/s: 10.4.12, 10.5.2
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Minor
Reporter: Geoff Montee (Inactive) Assignee: Sergei Golubchik
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Problem/Incident
is caused by MDEV-7032 new pam plugin with a suid wrapper Closed
is caused by MDEV-15473 Isolate/sandbox PAM modules, so that ... Closed
Relates
relates to MDEV-19850 per-plugin install/uninstall scriptlets Stalled
relates to MDEV-19876 pam v2: auth_pam_tool_dir and auth_pa... Closed
relates to MDEV-20205 mysql_install_db shouldn't execute chown Closed
relates to MDEV-22459 pam v2 should log an error if auth_pa... Closed

 Description   

As part of MDEV-19876, some code was added to mysql_install_db that fixes the ownership and privileges of auth_pam_tool:

https://github.com/mariadb/server/commit/11f3e2366282eb8cf1cb0062793d102067db6472

Now, we have code that fixes the ownership and privileges of auth_pam_tool in the following cases:

  • If the MariaDB-server RPM is installed by the root user, then it will properly set the ownership and privileges of the auth_pam_tool binary.
  • If the mariadb-server DEB is installed by the root user, then it will properly set the ownership and privileges of the auth_pam_tool binary.
  • If mysql_install_db is run by the root user, then it will properly set the ownership and privileges of the auth_pam_tool binary.

This still leaves a big gap, because:

  • If someone is using a binary tarball installation, then the RPM and DEB improvements won't help them.
  • If someone is performing an upgrade, rather than a fresh install, then the mysql_install_db improvements won't help them.

It seems as though mysql_upgrade should also try to fix the ownership and privileges of auth_pam_tool, so that these cases are also covered.

 Comments   
Comment by Sergei Golubchik [ 2021-01-09 ]

Normally mysql_upgrade doesn't have to be run as root, so it won't be able to fix permissions.

Generated at Thu Feb 08 09:15:03 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.