revision-id: 25410d448d5cd5796852da106324309d169981c9 (mariadb-10.3.6-49-g25410d4) parent(s): 7fda6161bc9daafbe26fb3ce687b6411537d49f3 committer: Alexey Botchkov timestamp: 2018-07-14 23:06:49 +0400 message: MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server. mysql_install_db.sh script fixed. --- plugin/auth_pam/CMakeLists.txt | 7 ++++++- scripts/mysql_install_db.sh | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt index 4943d57..fbf0979 100644 --- a/plugin/auth_pam/CMakeLists.txt +++ b/plugin/auth_pam/CMakeLists.txt @@ -11,7 +11,12 @@ IF(HAVE_PAM_APPL_H) ADD_DEFINITIONS(-D_GNU_SOURCE) MYSQL_ADD_PLUGIN(auth_pam_v1 auth_pam_v1.c LINK_LIBRARIES pam MODULE_ONLY) MYSQL_ADD_PLUGIN(auth_pam auth_pam.c LINK_LIBRARIES pam dl MODULE_ONLY) - MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server) + MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server) TARGET_LINK_LIBRARIES(auth_pam_tool pam) + INSTALL(CODE "EXECUTE_PROCESS( + COMMAND chmod u=rwx,g=,o= auth_pam_tool_dir + COMMAND chmod u=rwxs,g=rx,o=rx auth_pam_tool_dir/auth_pam_tool + WORKING_DIRECTORY \$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${INSTALL_PLUGINDIR}/)" + COMPONENT Server) ENDIF(HAVE_PAM_APPL_H) diff --git a/scripts/mysql_install_db.sh b/scripts/mysql_install_db.sh index ad7c028..ea5507f 100644 --- a/scripts/mysql_install_db.sh +++ b/scripts/mysql_install_db.sh @@ -308,6 +308,7 @@ then srcpkgdatadir="$srcdir/scripts" buildpkgdatadir="$builddir/scripts" plugindir="$builddir/plugin/auth_socket" + pamtooldir="$builddir/plugin/auth_pam" elif test -n "$basedir" then bindir="$basedir/bin" # only used in the help text @@ -337,6 +338,7 @@ then exit 1 fi plugindir=`find_in_dirs --dir auth_socket.so $basedir/lib*/plugin $basedir/lib*/mysql/plugin` + pamtooldir=$plugindir else basedir="@prefix@" bindir="@bindir@" @@ -345,6 +347,7 @@ else srcpkgdatadir="@pkgdatadir@" buildpkgdatadir="@pkgdatadir@" plugindir="@pkgplugindir@" + pamtooldir="@pkgplugindir@" fi # Set up paths to SQL scripts required for bootstrap @@ -445,6 +448,23 @@ done if test -n "$user" then + chown $user "$pamtooldir/auth_pam_tool_dir" + if test $? -ne 0 + then + echo "Cannot change ownership of the '$pamtooldir/auth_pam_tool_dir' directory" + echo " to the '$user' user. Check that you have the necessary permissions and try again." + exit 1 + fi + if test -z "$srcdir" + then + chown 0 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool" + if test $? -ne 0 + then + echo "Couldn't set an owner to '$pamtooldir/auth_pam_tool_dir/auth_pam_tool'." + echo " It must be root, the PAM authentication plugin doesn't work otherwise.." + echo + fi + fi args="$args --user=$user" fi