[MDEV-26380] auth_pam_tool has incorrect permissions on CentOS 7 Created: 2021-08-16  Updated: 2022-01-03  Resolved: 2021-08-25

Status: Closed
Project: MariaDB Server
Component/s: Packaging, Platform RedHat, Plugin - pam
Affects Version/s: 10.5, 10.6
Fix Version/s: 10.4.22, 10.5.13, 10.6.5

Type: Bug Priority: Critical
Reporter: Sergei Golubchik Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Problem/Incident
causes MDEV-26487 cpack rpm failed to build packages wi... Closed

 Description   

auth_pam_tool should be suid user, 4777.

Since 9d18b624675 this is done by packaging auth_pam_tool already with correct permissions into the rpm.

For example,

$ rpm -qvlp MariaDB-server-10.5.10-1.el8.x86_64.rpm|grep -w auth_pam_tool
 
...
 
-rwsr-xr-x 1 root root  12480 May 6 10:29 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

same for Fedoras.

But on CentOS 7 it shows rwxr-xr-x. Supposedly rpmbuild strips the SUID bit before packaging the file.

 Comments   
Comment by Alexey Bychko (Inactive) [ 2021-08-18 ]

cmake 2.8.12.2 (Centos-7 native) works OK.
cmake 3.14 and 3.15 removed suid bit during test build.

need to check if versioned conditions like RPM-DEFAULT is root cause or not

Comment by Alexey Bychko (Inactive) [ 2021-08-18 ]

serg compiled server with cmake 3.14.0 and suid bit is there

Comment by Alexey Bychko (Inactive) [ 2021-08-19 ]

fixed by splitting INSTALL(CODE "EXECUTE_PROCESS...") call to the 2 separate calls to set directory and auth_pam_tool permissions separately.
according to EXECUTE_PROCESS doc 2 consequent commands will not be executed one-by-one, but instead stdout of first command will be piped to stdin of second one

Comment by Sergei Golubchik [ 2021-08-20 ]

Unfortunately, it didn't help. Download, for example, http://hasky.askmonty.org/archive/10.5/build-42089/kvm-rpm-centos74-amd64/rpms/MariaDB-server-10.5.13-1.el7.centos.x86_64.rpm and see yourself

Comment by Daniel Bartholomew [ 2021-08-20 ]

abychko I've added an abychko user to the aidi.askmonty.org server. You can login using one of the same ssh keys you have configured on github

Comment by Alexey Bychko (Inactive) [ 2021-08-23 ]

reproduced on BB build image

Comment by Daniel Bartholomew [ 2021-08-23 ]

I've freed up some space on the host.

Comment by Alexey Bychko (Inactive) [ 2021-08-25 ]

reproduced on centos74-amd64-build image.
actually code running chmod on auth_pam_tool is executed properly. 

CPack: -   Install component: Server
 
mode of ‘auth_pam_tool_dir’ changed from 0775 (rwxrwxr-x) to 0700 (rwx------)
 
mode of ‘auth_pam_tool_dir/auth_pam_tool’ changed from 0755 (rwxr-xr-x) to 4755 (rwsr-xr-x)

it looks like suid bit disappears during debuginfo pkg creation. if CPACK_RPM_DEBUGINFO_PACKAGE is OFF - suid bit is preserved in RPM.

looking for good solution

Comment by Alexey Bychko (Inactive) [ 2021-08-25 ]

tested it on different Centos versions, from 7.4 to 7.9 (latest). the result is the same, suid bit is lost if debuginfo is enabled.
the most simple way to solve it is to add chmod call to the %post.
serg does it look reasonable?

Comment by Sergei Golubchik [ 2021-08-25 ]

Not really. That's what we did before, it was reworked in 9d18b62467 for security reasons.

What's so special in CentOS7, why would it strip suid bit?

Comment by Alexey Bychko (Inactive) [ 2021-08-25 ]

kernel drops suid bit on file modification.

[buildbot@centos74-amd64 auth_pam_tool_dir]$ ll
 
-rwsr-xr-x. 1 buildbot buildbot 11264 Aug 25 10:11 auth_pam_tool
 
[buildbot@centos74-amd64 auth_pam_tool_dir]$ cp auth_pam_tool auth_pam_tool2
 
[buildbot@centos74-amd64 auth_pam_tool_dir]$ ll
 
-rwsr-xr-x. 1 buildbot buildbot 11264 Aug 25 10:11 auth_pam_tool
 
-rwxr-xr-x. 1 buildbot buildbot 11264 Aug 25 11:05 auth_pam_tool2 <<<<<<<<<<<<

Generated at Thu Feb 08 09:44:52 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.