[#MXS-3753] Add option to run PAM authentication in a suid sanbox

[MXS-3753] Add option to run PAM authentication in a suid sanbox Created: 2021-09-01 Updated: 2023-09-19 Resolved: 2023-09-19
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	PAM-Authenticator
Affects Version/s:	2.5.15, 6.1.1
Fix Version/s:	23.08.1

Type:

New Feature

Priority:

Major

Reporter:

Hartmut Holzgraefe

Assignee:

Esa Korhonen

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Relates
relates to	~~MDEV-7032~~	new pam plugin with a suid wrapper	Closed
relates to	~~MDEV-15473~~	Isolate/sandbox PAM modules, so that ...	Closed

Sprint:

MXS-SPRINT-185, MXS-SPRINT-186, MXS-SPRINT-187, MXS-SPRINT-188, MXS-SPRINT-189, MXS-SPRINT-190

Description

Since MariaDB 10.4 PAM authentication is not handled by the MariaDB server process itself, but by separate sandbox processes running using suid privilege raising.

This has two advantages:

potential crashes inside one of the pam_... shared libraries only bring down the sandbox process and not the actual server (~~MDEV-15473~~)

no permission changes of files like /etc/shadow (has to be readable when using pam_unix.so) are needed, and neither does the server process itself have to run as root (~~MDEV-7032~~)

It would be a good thing to have the same for the PAM implementation on the maxscale side, too.

Generated at Thu Feb 08 04:23:42 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MXS-3753] Add option to run PAM authentication in a suid sanbox Created: 2021-09-01 Updated: 2023-09-19 Resolved: 2023-09-19