Is this compatible with passing through additional items like https://github.com/MariaDB/server/pull/631 ?
As we discussed, there should be some ways to prevent it being used to brute-force passwords. It'll be suid root, so it cannot be made executable only by "mysql" user.
I see two approaches here:
1. getuid() and check that the user name is "mysql" 2. getppid() and check that it matches the value in a pid_file
second is heavier (one might need to read my.cnf to find the location of a pid_file).
There isn't always a pidfile any more (systemd services)
first hard-codes the user name. oh, a third approach. create a new directory under plugin-dir, say auth_tool with permissions r-x------ and owned by "mysql". Put the actual executable there, so nobody besides "mysql" user will be able to get to it.
Yes, this seems the easiest, fastest, and most flexible too :)
Yes, quite like the approach here. /usr/libexec/ is a more common directory for these helper services. Might need additional selinux rules for this.