database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server.

Browse Source 
mysql_install_db.sh script fixed.
This commit is contained in:
Alexey Botchkov
2018-07-14 23:06:49 +04:00
parent 7fda6161bc
commit 25410d448d
2 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
plugin/auth_pam/CMakeLists.txt
View File

@ -11,7 +11,12 @@ IF(HAVE_PAM_APPL_H)
ADD_DEFINITIONS(-D_GNU_SOURCE) ADD_DEFINITIONS(-D_GNU_SOURCE)
MYSQL_ADD_PLUGIN(auth_pam_v1 auth_pam_v1.c LINK_LIBRARIES pam MODULE_ONLY) MYSQL_ADD_PLUGIN(auth_pam_v1 auth_pam_v1.c LINK_LIBRARIES pam MODULE_ONLY)
MYSQL_ADD_PLUGIN(auth_pam auth_pam.c LINK_LIBRARIES pam dl MODULE_ONLY) MYSQL_ADD_PLUGIN(auth_pam auth_pam.c LINK_LIBRARIES pam dl MODULE_ONLY)
MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server) MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server)
TARGET_LINK_LIBRARIES(auth_pam_tool pam) TARGET_LINK_LIBRARIES(auth_pam_tool pam)
INSTALL(CODE "EXECUTE_PROCESS(
COMMAND chmod u=rwx,g=,o= auth_pam_tool_dir
COMMAND chmod u=rwxs,g=rx,o=rx auth_pam_tool_dir/auth_pam_tool
WORKING_DIRECTORY \$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${INSTALL_PLUGINDIR}/)"
COMPONENT Server)
ENDIF(HAVE_PAM_APPL_H) ENDIF(HAVE_PAM_APPL_H)

20
scripts/mysql_install_db.sh
View File

@ -308,6 +308,7 @@ then
srcpkgdatadir="$srcdir/scripts" srcpkgdatadir="$srcdir/scripts"
buildpkgdatadir="$builddir/scripts" buildpkgdatadir="$builddir/scripts"
plugindir="$builddir/plugin/auth_socket" plugindir="$builddir/plugin/auth_socket"
pamtooldir="$builddir/plugin/auth_pam"
elif test -n "$basedir" elif test -n "$basedir"
then then
bindir="$basedir/bin" # only used in the help text bindir="$basedir/bin" # only used in the help text
@ -337,6 +338,7 @@ then
exit 1 exit 1
fi fi
plugindir=`find_in_dirs --dir auth_socket.so $basedir/lib*/plugin $basedir/lib*/mysql/plugin` plugindir=`find_in_dirs --dir auth_socket.so $basedir/lib*/plugin $basedir/lib*/mysql/plugin`
pamtooldir=$plugindir
else else
basedir="@prefix@" basedir="@prefix@"
bindir="@bindir@" bindir="@bindir@"
@ -345,6 +347,7 @@ else
srcpkgdatadir="@pkgdatadir@" srcpkgdatadir="@pkgdatadir@"
buildpkgdatadir="@pkgdatadir@" buildpkgdatadir="@pkgdatadir@"
plugindir="@pkgplugindir@" plugindir="@pkgplugindir@"
pamtooldir="@pkgplugindir@"
fi fi
# Set up paths to SQL scripts required for bootstrap # Set up paths to SQL scripts required for bootstrap
@ -445,6 +448,23 @@ done
if test -n "$user" if test -n "$user"
then then
chown $user "$pamtooldir/auth_pam_tool_dir"
if test $? -ne 0
then
echo "Cannot change ownership of the '$pamtooldir/auth_pam_tool_dir' directory"
echo " to the '$user' user. Check that you have the necessary permissions and try again."
exit 1
fi
if test -z "$srcdir"
then
chown 0 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"
if test $? -ne 0
then
echo "Couldn't set an owner to '$pamtooldir/auth_pam_tool_dir/auth_pam_tool'."
echo " It must be root, the PAM authentication plugin doesn't work otherwise.."
echo
fi
fi
args="$args --user=$user" args="$args --user=$user"
fi fi