Hi, Alexey! On Jul 09, Alexey Botchkov wrote:
revision-id: 1a2748ceb0e30770eebc97d82d7baa885b332c49 (mariadb-10.3.6-45-g1a2748c) parent(s): aa01f51bdef9cc38d8e0a75ea9e2788651e41d16 committer: Alexey Botchkov timestamp: 2018-07-09 13:20:42 +0400 message:
MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.
Scripts added to set safe permissions for the auth_pam_tool and it's directory.
diff --git a/scripts/mysql_install_db.sh b/scripts/mysql_install_db.sh index ad7c028..fd26228 100644 --- a/scripts/mysql_install_db.sh +++ b/scripts/mysql_install_db.sh @@ -308,6 +308,7 @@ then srcpkgdatadir="$srcdir/scripts" buildpkgdatadir="$builddir/scripts" plugindir="$builddir/plugin/auth_socket" + pamtooldir="$builddir/plugin/auth_pam" elif test -n "$basedir" then bindir="$basedir/bin" # only used in the help text @@ -337,6 +338,7 @@ then exit 1 fi plugindir=`find_in_dirs --dir auth_socket.so $basedir/lib*/plugin $basedir/lib*/mysql/plugin` + pamtooldir=`find_in_dirs --dir auth_pam.so $basedir/lib*/plugin $basedir/lib*/mysql/plugin`
Why not just pamtooldir=$plugindir ?
else basedir="@prefix@" bindir="@bindir@" @@ -445,6 +448,13 @@ done
if test -n "$user" then + chown $user "$pamtooldir/auth_pam_tool_dir" + if test $? -ne 0 + then + echo "Cannot change ownership of the '$pamtooldir\auth_pam_tool_dir' directory" + echo " to the '$user' user. Check that you have the necessary permissions and try again." + exit 1 + fi
Looks ok. Did you test that it works? I mean, a test woud be to install from a tarball and run mysql_install_db or install from rpm or deb (they run the install script automatically) and then check that all permissions are correct. Also, I suspect that at additional chown root "$pamtooldir/auth_pam_tool_dir/auth_pam_tool could also be useful here. But not when the script is running in the builddir. Regards, Sergei Chief Architect MariaDB and security@mariadb.org