maria-developers team mailing list archive

Thread
Date

Re: 84c9ec5: MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.

To: Alexey Botchkov <holyfoot@xxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Sun, 1 Jul 2018 17:03:48 +0200
Cc: maria-developers <maria-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAEJroGUq5ZgPQWzpdtb2O2i1ukiYq-YFg_9BQFVouynwKRf1OQ@mail.gmail.com>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, Alexey!

On Jun 30, Alexey Botchkov wrote:
> > not sure about calling it "safe". I think it's more of a side
> > effect, the main feature it that it works, while old pam plugin
> > simply doesn't :) unless mysqld is run as root.
> >
> > and not totally sure about calling it also pam. it means one won't
> > be able to load it and the old pam plugin at the same time.  I
> > suspect it'll still ok and benefits overweight it.
> 
> Well i'm open to any ideas here :)
> We can swap 'safe' with somethin else. 'box' for instance.
> Or we can instead rename the original version like 'fast' or 'old'.
> Finally we can build only one version of the plugin. The 'safe'
> whenever possible.

I'd rather rename the old version to (old) or (requires root) or
something.

> I also have a question about the testing.
> Now pam*.test-s rely on some mariadb_mtr setup for PAM. How can i see what
> is in the expected pam.d configuration file, and what pam modules are used?

See plugin/auth_pam/testing/pam_mariadb_mtr.c

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

Re: 84c9ec5: MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.
From: Sergei Golubchik, 2018-06-07