[MDEV-30904] "rpm --setugids" breaks PAM authentication Created: 2023-03-22  Updated: 2023-09-07  Resolved: 2023-09-07

Status: Closed
Project: MariaDB Server
Component/s: Plugin - pam
Affects Version/s: 10.5.18, 10.9.4, 10.11.2, 11.0.1, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.10.3
Fix Version/s: 10.4.32, 10.5.23, 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3

Type: Bug Priority: Critical
Reporter: Hartmut Holzgraefe Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None


 Description   

Our MariaDB-server RPM creates auth_pam_tool_dir with owner root, and only later in the post install hook script change the ownership to the mysql system user.

When running

rpm --setguids MariaDB-server

the directory owner is reset from "mysql" to "root", and with that and the "owner only" permissions of that directory, the auth_pam_tool utility contained by it can no longer be executed by the server, so breaking PAM authentication completely.

Looking at the plugin/auth_pam/CMakeLists.txt file I can see:

   SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
 
        "%attr(700,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
 
        "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

So the directory permissions are set there, but not the owner. By changing this to

   SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
 
        "%attr(700,mysql,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
 
        "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")

the explicit chmod in the post install hook script should no longer be needed, and "rpm -setugids" should keep the correct ownership intact.

 Comments   
Comment by Hartmut Holzgraefe [ 2023-03-27 ]

Affected versions determined by checking that respective versions support-files/rpm/server-postin.sh contains a chown for auth_pam_tool_dir

Comment by Sergei Golubchik [ 2023-06-27 ]

the commit that added chown to postin scriptlet, says

commit 9d18b624675
 
Author: Sergei Golubchik <serg@mariadb.org>
 
Date:   Wed Jan 15 18:08:02 2020 +0100
 
 
 
    rpm/deb and auth_pam_tool_dir/auth_pam_tool
 
    
    don't let mysql_install_db set SUID bit for auth_pam_tool in rpm/deb
 
    packages - instead package files with correct permissions and
 
    only fix the ownership of auth_pam_tool_dir (which can only be done
 
    after mysql user is created, so in post-install).

Is it wrong? Can you still use %attr(700,mysql,-) ?

Comment by Hartmut Holzgraefe [ 2023-06-29 ]

I thought I had that tested, but after double checking on a fresh Rocky8 VM with no "mysql" user in /etc/passwd yet I'm indeed still getting the "auth_pam_tool_dir" owned by "root", not "mysql". Running rpm --setugids MariaDB-server then fixes that. So my patch was active, but failed for not having the user added yet at the time this information is used during RPM install.

Looking at our sources I can see useradd mysql being done in the post install script, yet checking the Fedora guidelines this should happen in the pre install script instead, which would also solve our problem here:

https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Dynamic_allocation

Comment by Hartmut Holzgraefe [ 2023-06-29 ]

Looking at the debian side there we're indeed adding the "mysql" user in the pre inst hook already.

Comment by Sergei Golubchik [ 2023-08-13 ]

hholzgra, do you want to check the fix before it's pushed?
Take it from https://buildbot.mariadb.net/archive/pack/bb-10.4-all-builders/

Generated at Thu Feb 08 10:19:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.