maria-developers team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Alexey!

On Jul 05, Alexey Botchkov wrote:
> revision-id: 765ba2ac76dab984183bf829dc3407713a4d5d9b (mariadb-10.3.6-40-g765ba2a)
> parent(s): 7e704a2308e25953b5f8fb154eb325df3e25c2ec
> committer: Alexey Botchkov
> timestamp: 2018-07-05 17:00:47 +0400
> message:
> 
> MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.
> 
> Proper access permissions for the auth_pam_tool_dir and auth_pam_tool.
> 
> diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt
> index 4943d57..b9313de 100644
> --- a/plugin/auth_pam/CMakeLists.txt
> +++ b/plugin/auth_pam/CMakeLists.txt
> @@ -11,7 +11,13 @@ IF(HAVE_PAM_APPL_H)
>    ADD_DEFINITIONS(-D_GNU_SOURCE)
>    MYSQL_ADD_PLUGIN(auth_pam_v1 auth_pam_v1.c LINK_LIBRARIES pam MODULE_ONLY)
>    MYSQL_ADD_PLUGIN(auth_pam auth_pam.c LINK_LIBRARIES pam dl MODULE_ONLY)
> -  MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION  ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server)
> +  MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server)
>    TARGET_LINK_LIBRARIES(auth_pam_tool pam)
> +  INSTALL(CODE "EXECUTE_PROCESS(
> +                   COMMAND chmod u=rwx,g=,o= auth_pam_tool_dir
> +                   COMMAND chmod u=rwx,g=rx,o=rx auth_pam_tool_dir/auth_pam_tool
> +                   COMMAND chmod +s auth_pam_tool_dir/auth_pam_tool
> +                   WORKING_DIRECTORY \$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${INSTALL_PLUGINDIR}/)"
> +                 COMPONENT Server)

I think it's generally ok. Two comments:

  minor: you can combine two chmods on auth_pam_tool in one, like u=rwxs

  major: you still need to make auth_pam_tool_dir to be owned by mysql
         user. I'm afraid the only way to do it is from a post-install
         scriptlet or from mysql_install_db.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx