database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

MDEV-27341 Use SET PASSWORD to change PAM service

Browse Source 
SET PASSWORD = PASSWORD('foo') would fail for pam plugin with

ERROR HY000: SET PASSWORD is ignored for users authenticating via pam plugin

but SET PASSWORD = 'foo' would not.

Now it will.
This commit is contained in:
Sergei Golubchik
2022-01-05 22:55:07 +01:00
parent da76d25ab4
commit 7b555ff2c5
4 changed files with 41 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
include/mysql/plugin_auth.h
View File

@ -147,7 +147,8 @@ struct st_mysql_auth
@return 0 for ok, 1 for error @return 0 for ok, 1 for error
Can be NULL. Can be NULL, in this case one will not be able to use SET PASSWORD or
PASSWORD('...') in GRANT, CREATE USER, ALTER USER.
*/ */
int (*hash_password)(const char *password, size_t password_length, int (*hash_password)(const char *password, size_t password_length,
char *hash, size_t *hash_length); char *hash, size_t *hash_length);

17
mysql-test/suite/plugins/r/pam.result
View File

@ -91,4 +91,21 @@ select user(), current_user(), database();
user() current_user() database() user() current_user() database()
PAM_TEST@localhost PAM_TEST@% test PAM_TEST@localhost PAM_TEST@% test
drop user PAM_TEST; drop user PAM_TEST;
#
# MDEV-27341 Use SET PASSWORD to change PAM service
#
create user pam_test identified via pam using 'mariadb_mtr';
Challenge input first.
Enter: *************************
Now, the magic number!
PIN: 9225
select user(), current_user(), database();
user() current_user() database()
pam_test@localhost pam_test@% test
set password='foo';
ERROR HY000: SET PASSWORD is ignored for users authenticating via pam plugin
show create user;
CREATE USER for pam_test@%
CREATE USER `pam_test`@`%` IDENTIFIED VIA pam USING 'mariadb_mtr'
drop user pam_test;
uninstall plugin pam; uninstall plugin pam;

17
mysql-test/suite/plugins/t/pam.test
View File

@ -45,7 +45,6 @@ EOF
--echo # --echo #
--echo # athentication is successful --echo # athentication is successful
--echo # --echo #
--error 0
--exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt --exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
--echo # --echo #
@ -106,6 +105,22 @@ set global pam_winbind_workaround=1;
--remove_file $MYSQLTEST_VARDIR/tmp/pam_ugly.txt --remove_file $MYSQLTEST_VARDIR/tmp/pam_ugly.txt
drop user PAM_TEST; drop user PAM_TEST;
--echo #
--echo # MDEV-27341 Use SET PASSWORD to change PAM service
--echo #
create user pam_test identified via pam using 'mariadb_mtr';
--write_file $MYSQLTEST_VARDIR/tmp/setpwd.txt
not very secret challenge
9225
select user(), current_user(), database();
error ER_SET_PASSWORD_AUTH_PLUGIN;
set password='foo';
show create user;
EOF
--exec $MYSQL_TEST -u pam_test < $MYSQLTEST_VARDIR/tmp/setpwd.txt
--remove_file $MYSQLTEST_VARDIR/tmp/setpwd.txt
drop user pam_test;
let $count_sessions= 1; let $count_sessions= 1;
--source include/wait_until_count_sessions.inc --source include/wait_until_count_sessions.inc
uninstall plugin pam; uninstall plugin pam;

6
sql/sql_acl.cc
View File

@ -2135,6 +2135,12 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user,
goto end; goto end;
} }
if (thd->lex->sql_command == SQLCOM_SET_OPTION && !info->hash_password)
{
res= ER_SET_PASSWORD_AUTH_PLUGIN;
goto end;
}
if (info->hash_password && if (info->hash_password &&
validate_password(thd, user, pwtext, auth->auth_string.length)) validate_password(thd, user, pwtext, auth->auth_string.length))
{ {