revision-id: f8e92e8555f3fa1cf563785f428008272f178d66 (mariadb-10.4.4-93-gf8e92e8) parent(s): ea771624528794449444b2c066ca6171388cdf37 committer: Alexey Botchkov timestamp: 2019-05-15 19:06:04 +0400 message: merging MDEV-18686 into 10.4. --- mysql-test/suite/plugins/r/pam.result | 20 ++++++++++++++++++++ mysql-test/suite/plugins/t/pam.test | 28 ++++++++++++++++++++++++---- plugin/auth_pam/auth_pam.c | 6 +++++- plugin/auth_pam/auth_pam_base.c | 5 ++++- plugin/auth_pam/auth_pam_common.c | 5 +++++ plugin/auth_pam/auth_pam_tool.c | 3 ++- 6 files changed, 60 insertions(+), 7 deletions(-) diff --git a/mysql-test/suite/plugins/r/pam.result b/mysql-test/suite/plugins/r/pam.result index a16cd7f..12d1319 100644 --- a/mysql-test/suite/plugins/r/pam.result +++ b/mysql-test/suite/plugins/r/pam.result @@ -29,4 +29,24 @@ Now, the magic number! PIN: *** drop user test_pam; drop user pam_test; +create user PAM_TEST identified via pam using 'mariadb_mtr'; +# +# athentication is unsuccessful +# +Challenge input first. +Enter: not very secret challenge +Now, the magic number! +PIN: **** +set global pam_winbind_workaround=1; +# +# athentication is successful +# +Challenge input first. +Enter: not very secret challenge +Now, the magic number! +PIN: **** +select user(), current_user(), database(); +user() current_user() database() +PAM_TEST@localhost PAM_TEST@% test +drop user PAM_TEST; uninstall plugin pam; diff --git a/mysql-test/suite/plugins/t/pam.test b/mysql-test/suite/plugins/t/pam.test index 6bb282f..4040afa 100644 --- a/mysql-test/suite/plugins/t/pam.test +++ b/mysql-test/suite/plugins/t/pam.test @@ -22,25 +22,45 @@ EOF --echo # --echo # athentication is successful, challenge/pin are ok --echo # note that current_user() differs from user() ---echo # ---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good.txt +-echo # +--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_good.txt --echo # --echo # athentication is unsuccessful --echo # --error 1 ---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_bad.txt +--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_bad.txt --echo # --echo # athentication is unsuccessful --echo # --error 1 ---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_ugly.txt +--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_ugly.txt --remove_file $MYSQLTEST_VARDIR/tmp/pam_good.txt --remove_file $MYSQLTEST_VARDIR/tmp/pam_bad.txt +--remove_file $MYSQLTEST_VARDIR/tmp/pam_ugly.txt drop user test_pam; drop user pam_test; + +create user PAM_TEST identified via pam using 'mariadb_mtr'; + +--echo # +--echo # athentication is unsuccessful +--echo # +--error 1 +--exec $MYSQL_TEST -u PAM_TEST < $MYSQLTEST_VARDIR/tmp/pam_good.txt + +set global pam_winbind_workaround=1; +--echo # +--echo # athentication is successful +--echo # +--exec $MYSQL_TEST -u PAM_TEST < $MYSQLTEST_VARDIR/tmp/pam_good.txt + +--remove_file $MYSQLTEST_VARDIR/tmp/pam_good.txt +--remove_file $MYSQLTEST_VARDIR/tmp/pam_bad.txt +drop user PAM_TEST; + let $count_sessions= 1; --source include/wait_until_count_sessions.inc uninstall plugin pam; diff --git a/plugin/auth_pam/auth_pam.c b/plugin/auth_pam/auth_pam.c index 779f6ce..599b323 100644 --- a/plugin/auth_pam/auth_pam.c +++ b/plugin/auth_pam/auth_pam.c @@ -28,6 +28,8 @@ static char pam_debug = 0; #define PAM_DEBUG(X) /* no-op */ #endif +static char winbind_hack = 0; + static char *opt_plugin_dir; /* To be dynamically linked. */ static const char *tool_name= "auth_pam_tool_dir/auth_pam_tool"; static const int tool_name_len= 31; @@ -109,10 +111,12 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) info->user_name, info->auth_string)); #ifndef DBUG_OFF - field= pam_debug; + field= pam_debug ? 1 : 0; #else field= 0; #endif + field|= winbind_hack ? 2 : 0; + if (write(p_to_c[1], &field, 1) != 1 || write_string(p_to_c[1], (const uchar *) info->user_name, info->user_name_length) || diff --git a/plugin/auth_pam/auth_pam_base.c b/plugin/auth_pam/auth_pam_base.c index 67a0adb..a23cfcb 100644 --- a/plugin/auth_pam/auth_pam_base.c +++ b/plugin/auth_pam/auth_pam_base.c @@ -60,6 +60,8 @@ static char pam_debug = 0; #define PAM_DEBUG(X) /* no-op */ #endif +static char winbind_hack = 0; + static int conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) { @@ -161,7 +163,8 @@ static int pam_auth_base(struct param *param, MYSQL_SERVER_AUTH_INFO *info) PAM_DEBUG((stderr, "PAM: pam_get_item(PAM_USER)\n")); DO( pam_get_item(pamh, PAM_USER, (pam_get_item_3_arg) &new_username) ); - if (new_username && strcmp(new_username, info->user_name)) + if (new_username && + (winbind_hack ? strcasecmp : strcmp)(new_username, info->user_name)) strncpy(info->authenticated_as, new_username, sizeof(info->authenticated_as)); info->authenticated_as[sizeof(info->authenticated_as)-1]= 0; diff --git a/plugin/auth_pam/auth_pam_common.c b/plugin/auth_pam/auth_pam_common.c index 135feb6..ef8f0f6 100644 --- a/plugin/auth_pam/auth_pam_common.c +++ b/plugin/auth_pam/auth_pam_common.c @@ -36,6 +36,10 @@ static MYSQL_SYSVAR_BOOL(use_cleartext_plugin, use_cleartext_plugin, "supports simple PAM policies that don't require anything besides " "a password", NULL, NULL, 0); +static MYSQL_SYSVAR_BOOL(winbind_workaround, winbind_hack, PLUGIN_VAR_OPCMDARG, + "Compare usernames case insensitively to work around pam_winbind " + "unconditional username lowercasing", NULL, NULL, 0); + #ifndef DBUG_OFF static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG, "Log all PAM activity", NULL, NULL, 0); @@ -44,6 +48,7 @@ static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG, static struct st_mysql_sys_var* vars[] = { MYSQL_SYSVAR(use_cleartext_plugin), + MYSQL_SYSVAR(winbind_workaround), #ifndef DBUG_OFF MYSQL_SYSVAR(debug), #endif diff --git a/plugin/auth_pam/auth_pam_tool.c b/plugin/auth_pam/auth_pam_tool.c index 95d47dc..6fd30b4 100644 --- a/plugin/auth_pam/auth_pam_tool.c +++ b/plugin/auth_pam/auth_pam_tool.c @@ -73,8 +73,9 @@ int main(int argc, char **argv) if (read(0, &field, 1) < 1) return -1; #ifndef DBUG_OFF - pam_debug= field; + pam_debug= field & 1; #endif + winbind_hack= field & 2; PAM_DEBUG((stderr, "PAM: sandbox started [%s].\n", argv[0]));