maria-developers team mailing list archive

Thread
Date

Re: 1a2748c: MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.

To: maria-developers@xxxxxxxxxxxxxxxxxxx
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Mon, 9 Jul 2018 15:06:52 +0200
Cc: holyfoot@xxxxxxxxxxx
In-reply-to: <20180709092232.D90ED140DA4@nebo.localdomain>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, Alexey!

On Jul 09, Alexey Botchkov wrote:
> revision-id: 1a2748ceb0e30770eebc97d82d7baa885b332c49 (mariadb-10.3.6-45-g1a2748c)
> parent(s): aa01f51bdef9cc38d8e0a75ea9e2788651e41d16
> committer: Alexey Botchkov
> timestamp: 2018-07-09 13:20:42 +0400
> message:
> 
> MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.
> 
> Scripts added to set safe permissions for the auth_pam_tool and it's
> directory.
> 
> diff --git a/scripts/mysql_install_db.sh b/scripts/mysql_install_db.sh
> index ad7c028..fd26228 100644
> --- a/scripts/mysql_install_db.sh
> +++ b/scripts/mysql_install_db.sh
> @@ -308,6 +308,7 @@ then
>    srcpkgdatadir="$srcdir/scripts"
>    buildpkgdatadir="$builddir/scripts"
>    plugindir="$builddir/plugin/auth_socket"
> +  pamtooldir="$builddir/plugin/auth_pam"
>  elif test -n "$basedir"
>  then
>    bindir="$basedir/bin" # only used in the help text
> @@ -337,6 +338,7 @@ then
>      exit 1
>    fi
>    plugindir=`find_in_dirs --dir auth_socket.so $basedir/lib*/plugin $basedir/lib*/mysql/plugin`
> +  pamtooldir=`find_in_dirs --dir auth_pam.so $basedir/lib*/plugin $basedir/lib*/mysql/plugin`

Why not just pamtooldir=$plugindir ?

>  else
>    basedir="@prefix@"
>    bindir="@bindir@"
> @@ -445,6 +448,13 @@ done
>  
>  if test -n "$user"
>  then
> +  chown $user "$pamtooldir/auth_pam_tool_dir"
> +  if test $? -ne 0
> +  then
> +      echo "Cannot change ownership of the '$pamtooldir\auth_pam_tool_dir' directory"
> +      echo " to the '$user' user. Check that you have the necessary permissions and try again."
> +      exit 1
> +  fi

Looks ok. Did you test that it works? I mean, a test woud be to install
from a tarball and run mysql_install_db or install from rpm or deb (they
run the install script automatically) and then check that all
permissions are correct.

Also, I suspect that at additional

  chown root "$pamtooldir/auth_pam_tool_dir/auth_pam_tool

could also be useful here. But not when the script is running in
the builddir.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx