From b16e9c1e2d73cb06eddbe8cec1429a2e6386ea59 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Mon, 11 May 2020 22:28:06 +0200 Subject: [PATCH] mariadb: update auth_pam handling With INSTALL_PAMDIR undefined some items necessary for the auth_pam module aren't built. This adds the define so that configuration and shared object become available. This commit also tightens up the installation of the SUID tool. The directory it is copied into gets created on the build host already with u=rwx,g=rx,o=, so it cannot be accessed on target, except by root. The post-install script then changes group ownership of the directory to the "mariadb" group only if the directory is really a directory and owned by "root:root". Signed-off-by: Sebastian Kemper --- utils/mariadb/Makefile | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/utils/mariadb/Makefile b/utils/mariadb/Makefile index 5d5e1629e..9610b62c3 100644 --- a/utils/mariadb/Makefile +++ b/utils/mariadb/Makefile @@ -366,6 +366,7 @@ CMAKE_OPTIONS += \ -DINSTALL_MANDIR=share/man \ -DINSTALL_MYSQLSHAREDIR=share/mariadb \ -DINSTALL_MYSQLTESTDIR="" \ + -DINSTALL_PAMDIR="/lib/security" \ -DINSTALL_PLUGINDIR=lib/mariadb/plugin \ -DINSTALL_SBINDIR=bin \ -DINSTALL_SCRIPTDIR=bin \ @@ -544,8 +545,18 @@ This package provides the $(1) plugin. $(INSTALL_DIR) $$(1)$(PLUGIN_DIR) $(call Package/mariadb/install/plugin,$$(1),$(1)) ifeq ($(1),auth_pam) - $(CP) $(PKG_INSTALL_DIR)$(PLUGIN_DIR)/auth_pam_tool_dir \ - $$(1)$(PLUGIN_DIR) + $(INSTALL_DIR) -m0750 $$(1)$(PLUGIN_DIR)/auth_pam_tool_dir + $(INSTALL_SUID) \ + $(PKG_INSTALL_DIR)$(PLUGIN_DIR)/auth_pam_tool_dir/auth_pam_tool \ + $$(1)$(PLUGIN_DIR)/auth_pam_tool_dir + $(INSTALL_DIR) $$(1)/etc/security + $(INSTALL_DATA) \ + $(PKG_INSTALL_DIR)/etc/security/user_map.conf \ + $$(1)/etc/security + $(INSTALL_DIR) $$(1)/lib/security + $(INSTALL_DATA) \ + $(PKG_INSTALL_DIR)/lib/security/pam_user_map.so \ + $$(1)/lib/security endif ifeq ($(1),ha_spider) $(INSTALL_DIR) $$(1)$(SHARE_DIR) @@ -556,11 +567,18 @@ endif $$(eval $$(call BuildPackage,mariadb-server-plugin-$(subst _,-,$(1)))) endef +# Directory "auth_pam_tool_dir" is installed with '-m0750' above and +# contains SUID binary "auth_pam_tool". Below post-install script +# changes the group of "auth_pam_tool_dir" to mariadb, so user mariadb +# can access the folder (and the SUID binary). The script only changes +# the group if the directory is currently owned by "root:root". define Package/mariadb-server-plugin-auth-pam/postinst #!/bin/sh if [ -z "$${IPKG_INSTROOT}" ]; then - chown root:mariadb /usr/lib/mariadb/plugin/auth_pam_tool_dir > /dev/null 2>&1 - chmod 0750 /usr/lib/mariadb/plugin/auth_pam_tool_dir > /dev/null 2>&1 + dir="/usr/lib/mariadb/plugin/auth_pam_tool_dir" + if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then + chown :mariadb "$$dir" + fi fi exit 0 endef