← Back to team overview

maria-developers team mailing list archive

Re: 84c9ec5: MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.


Hi, Alexey!

On Jun 30, Alexey Botchkov wrote:
> > not sure about calling it "safe". I think it's more of a side
> > effect, the main feature it that it works, while old pam plugin
> > simply doesn't :) unless mysqld is run as root.
> >
> > and not totally sure about calling it also pam. it means one won't
> > be able to load it and the old pam plugin at the same time.  I
> > suspect it'll still ok and benefits overweight it.
> Well i'm open to any ideas here :)
> We can swap 'safe' with somethin else. 'box' for instance.
> Or we can instead rename the original version like 'fast' or 'old'.
> Finally we can build only one version of the plugin. The 'safe'
> whenever possible.

I'd rather rename the old version to (old) or (requires root) or

> I also have a question about the testing.
> Now pam*.test-s rely on some mariadb_mtr setup for PAM. How can i see what
> is in the expected pam.d configuration file, and what pam modules are used?

See plugin/auth_pam/testing/pam_mariadb_mtr.c

Chief Architect MariaDB
and security@xxxxxxxxxxx