Re: [Maria-developers] 1a2748c: MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.

Mon, 09 Jul 2018 07:07:31 -0700 

Hi, Alexey!

On Jul 09, Alexey Botchkov wrote:
> revision-id: 1a2748ceb0e30770eebc97d82d7baa885b332c49 
> (mariadb-10.3.6-45-g1a2748c)
> parent(s): aa01f51bdef9cc38d8e0a75ea9e2788651e41d16
> committer: Alexey Botchkov
> timestamp: 2018-07-09 13:20:42 +0400
> message:
> 
> MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.
> 
> Scripts added to set safe permissions for the auth_pam_tool and it's
> directory.
> 
> diff --git a/scripts/mysql_install_db.sh b/scripts/mysql_install_db.sh
> index ad7c028..fd26228 100644
> --- a/scripts/mysql_install_db.sh
> +++ b/scripts/mysql_install_db.sh
> @@ -308,6 +308,7 @@ then
>    srcpkgdatadir="$srcdir/scripts"
>    buildpkgdatadir="$builddir/scripts"
>    plugindir="$builddir/plugin/auth_socket"
> +  pamtooldir="$builddir/plugin/auth_pam"
>  elif test -n "$basedir"
>  then
>    bindir="$basedir/bin" # only used in the help text
> @@ -337,6 +338,7 @@ then
>      exit 1
>    fi
>    plugindir=`find_in_dirs --dir auth_socket.so $basedir/lib*/plugin 
> $basedir/lib*/mysql/plugin`
> +  pamtooldir=`find_in_dirs --dir auth_pam.so $basedir/lib*/plugin 
> $basedir/lib*/mysql/plugin`

Why not just pamtooldir=$plugindir ?

>  else
>    basedir="@prefix@"
>    bindir="@bindir@"
> @@ -445,6 +448,13 @@ done
>  
>  if test -n "$user"
>  then
> +  chown $user "$pamtooldir/auth_pam_tool_dir"
> +  if test $? -ne 0
> +  then
> +      echo "Cannot change ownership of the '$pamtooldir\auth_pam_tool_dir' 
> directory"
> +      echo " to the '$user' user. Check that you have the necessary 
> permissions and try again."
> +      exit 1
> +  fi

Looks ok. Did you test that it works? I mean, a test woud be to install
from a tarball and run mysql_install_db or install from rpm or deb (they
run the install script automatically) and then check that all
permissions are correct.

Also, I suspect that at additional

  chown root "$pamtooldir/auth_pam_tool_dir/auth_pam_tool

could also be useful here. But not when the script is running in
the builddir.

Regards,
Sergei
Chief Architect MariaDB
and secur...@mariadb.org

_______________________________________________
Mailing list: https://launchpad.net/~maria-developers
Post to     : maria-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-developers
More help   : https://help.launchpad.net/ListHelp

Reply via email to