maria-developers team mailing list archive
-
maria-developers team
-
Mailing list archive
-
Message #11348
Re: 84c9ec5: MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.
Is this compatible with passing through additional items like
https://github.com/MariaDB/server/pull/631 ?
As we discussed, there should be some ways to prevent it being used
to brute-force passwords. It'll be suid root, so it cannot be
made executable only by "mysql" user.
I see two approaches here:
1. getuid() and check that the user name is "mysql"
2. getppid() and check that it matches the value in a pid_file
second is heavier (one might need to read my.cnf to find the location
of a pid_file).
There isn't always a pidfile any more (systemd services)
first hard-codes the user name.
oh, a third approach. create a new directory under plugin-dir, say
auth_tool with permissions r-x------ and owned by "mysql".
Put the actual executable there, so nobody besides "mysql" user
will be able to get to it.
Yes, this seems the easiest, fastest, and most flexible too :)
Yes, quite like the approach here.
/usr/libexec/ is a more common directory for these helper services.
Might need additional selinux rules for this.
References