maria-developers team mailing list archive

["Daniel Black (vnet)" <daniel@xxxxxxxxxxxxxxxxxx>]

Is this compatible with passing through additional items like
https://github.com/MariaDB/server/pull/631 ?

> As we discussed, there should be some ways to prevent it being used
> to brute-force passwords. It'll be suid root, so it cannot be
> made executable only by "mysql" user.
>
> I see two approaches here:
>
>  1. getuid() and check that the user name is "mysql"
>  2. getppid() and check that it matches the value in a pid_file
>
> second is heavier (one might need to read my.cnf to find the location
> of a pid_file).

There isn't always a pidfile any more (systemd services)

> first hard-codes the user name.
> oh, a third approach. create a new directory under plugin-dir, say
> auth_tool with permissions r-x------ and owned by "mysql".
> Put the actual executable there, so nobody besides "mysql" user
> will be able to get to it.
>
> Yes, this seems the easiest, fastest, and most flexible too :)

Yes, quite like the approach here.

/usr/libexec/ is a more common  directory for these helper services.

Might need additional selinux rules for this.