Skip to content

M
MariaDB
Commit 25410d44 authored by Alexey Botchkov's avatar Alexey Botchkov
Browse files
Options

MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server. 

mysql_install_db.sh script fixed.
parent 7fda6161
Hide whitespace changes
Inline Side-by-side
Showing with 26 additions and 1 deletion
plugin/auth_pam/CMakeLists.txt
View file @ 25410d44
...@@ -11,7 +11,12 @@ IF(HAVE_PAM_APPL_H) ...@@ -11,7 +11,12 @@ IF(HAVE_PAM_APPL_H)
ADD_DEFINITIONS(-D_GNU_SOURCE) ADD_DEFINITIONS(-D_GNU_SOURCE)
MYSQL_ADD_PLUGIN(auth_pam_v1 auth_pam_v1.c LINK_LIBRARIES pam MODULE_ONLY) MYSQL_ADD_PLUGIN(auth_pam_v1 auth_pam_v1.c LINK_LIBRARIES pam MODULE_ONLY)
MYSQL_ADD_PLUGIN(auth_pam auth_pam.c LINK_LIBRARIES pam dl MODULE_ONLY) MYSQL_ADD_PLUGIN(auth_pam auth_pam.c LINK_LIBRARIES pam dl MODULE_ONLY)
MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server) MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server)
TARGET_LINK_LIBRARIES(auth_pam_tool pam) TARGET_LINK_LIBRARIES(auth_pam_tool pam)
INSTALL(CODE "EXECUTE_PROCESS(
COMMAND chmod u=rwx,g=,o= auth_pam_tool_dir
COMMAND chmod u=rwxs,g=rx,o=rx auth_pam_tool_dir/auth_pam_tool
WORKING_DIRECTORY \$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${INSTALL_PLUGINDIR}/)"
COMPONENT Server)
ENDIF(HAVE_PAM_APPL_H) ENDIF(HAVE_PAM_APPL_H)
scripts/mysql_install_db.sh
View file @ 25410d44
...@@ -308,6 +308,7 @@ then ...@@ -308,6 +308,7 @@ then
srcpkgdatadir="$srcdir/scripts" srcpkgdatadir="$srcdir/scripts"
buildpkgdatadir="$builddir/scripts" buildpkgdatadir="$builddir/scripts"
plugindir="$builddir/plugin/auth_socket" plugindir="$builddir/plugin/auth_socket"
pamtooldir="$builddir/plugin/auth_pam"
elif test -n "$basedir" elif test -n "$basedir"
then then
bindir="$basedir/bin" # only used in the help text bindir="$basedir/bin" # only used in the help text
...@@ -337,6 +338,7 @@ then ...@@ -337,6 +338,7 @@ then
exit 1 exit 1
fi fi
plugindir=`find_in_dirs --dir auth_socket.so $basedir/lib*/plugin $basedir/lib*/mysql/plugin` plugindir=`find_in_dirs --dir auth_socket.so $basedir/lib*/plugin $basedir/lib*/mysql/plugin`
pamtooldir=$plugindir
else else
basedir="@prefix@" basedir="@prefix@"
bindir="@bindir@" bindir="@bindir@"
...@@ -345,6 +347,7 @@ else ...@@ -345,6 +347,7 @@ else
srcpkgdatadir="@pkgdatadir@" srcpkgdatadir="@pkgdatadir@"
buildpkgdatadir="@pkgdatadir@" buildpkgdatadir="@pkgdatadir@"
plugindir="@pkgplugindir@" plugindir="@pkgplugindir@"
pamtooldir="@pkgplugindir@"
fi fi
# Set up paths to SQL scripts required for bootstrap # Set up paths to SQL scripts required for bootstrap
...@@ -445,6 +448,23 @@ done ...@@ -445,6 +448,23 @@ done
if test -n "$user" if test -n "$user"
then then
chown $user "$pamtooldir/auth_pam_tool_dir"
if test $? -ne 0
then
echo "Cannot change ownership of the '$pamtooldir/auth_pam_tool_dir' directory"
echo " to the '$user' user. Check that you have the necessary permissions and try again."
exit 1
fi
if test -z "$srcdir"
then
chown 0 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"
if test $? -ne 0
then
echo "Couldn't set an owner to '$pamtooldir/auth_pam_tool_dir/auth_pam_tool'."
echo " It must be root, the PAM authentication plugin doesn't work otherwise.."
echo
fi
fi
args="$args --user=$user" args="$args --user=$user"
fi fi
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7