Hi, Alexey!
On Jul 05, Alexey Botchkov wrote:
> revision-id: 765ba2ac76dab984183bf829dc3407713a4d5d9b
> (mariadb-10.3.6-40-g765ba2a)
> parent(s): 7e704a2308e25953b5f8fb154eb325df3e25c2ec
> committer: Alexey Botchkov
> timestamp: 2018-07-05 17:00:47 +0400
> message:
>
> MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.
>
> Proper access permissions for the auth_pam_tool_dir and auth_pam_tool.
>
> diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt
> index 4943d57..b9313de 100644
> --- a/plugin/auth_pam/CMakeLists.txt
> +++ b/plugin/auth_pam/CMakeLists.txt
> @@ -11,7 +11,13 @@ IF(HAVE_PAM_APPL_H)
> ADD_DEFINITIONS(-D_GNU_SOURCE)
> MYSQL_ADD_PLUGIN(auth_pam_v1 auth_pam_v1.c LINK_LIBRARIES pam MODULE_ONLY)
> MYSQL_ADD_PLUGIN(auth_pam auth_pam.c LINK_LIBRARIES pam dl MODULE_ONLY)
> - MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION
> ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server)
> + MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION
> ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server)
> TARGET_LINK_LIBRARIES(auth_pam_tool pam)
> + INSTALL(CODE "EXECUTE_PROCESS(
> + COMMAND chmod u=rwx,g=,o= auth_pam_tool_dir
> + COMMAND chmod u=rwx,g=rx,o=rx
> auth_pam_tool_dir/auth_pam_tool
> + COMMAND chmod +s auth_pam_tool_dir/auth_pam_tool
> + WORKING_DIRECTORY
> \$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${INSTALL_PLUGINDIR}/)"
> + COMPONENT Server)
I think it's generally ok. Two comments:
minor: you can combine two chmods on auth_pam_tool in one, like u=rwxs
major: you still need to make auth_pam_tool_dir to be owned by mysql
user. I'm afraid the only way to do it is from a post-install
scriptlet or from mysql_install_db.
Regards,
Sergei
Chief Architect MariaDB
and secur...@mariadb.org
_______________________________________________
Mailing list: https://launchpad.net/~maria-developers
Post to : maria-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-developers
More help : https://help.launchpad.net/ListHelp
