rpm/deb and auth_pam_tool_dir/auth_pam_tool

don't let mysql_install_db set SUID bit for auth_pam_tool in rpm/deb packages - instead package files with correct permissions and only fix the ownership of auth_pam_tool_dir (which can only be done after mysql user is created, so in post-install). keep old mysql_install_db behavior for bintars

rpm/deb and auth_pam_tool_dir/auth_pam_tool
don't let mysql_install_db set SUID bit for auth_pam_tool in rpm/deb packages - instead package files with correct permissions and only fix the ownership of auth_pam_tool_dir (which can only be done after mysql user is created, so in post-install). keep old mysql_install_db behavior for bintars
9d18b624 · Sergei Golubchik · 7e378a8d · 9d18b624 · 9d18b624 · 9d18b624
Commit 9d18b624 authored Jan 15, 2020 by Sergei Golubchik
4 changed files
--- a/debian/mariadb-server-10.4.postinst
+++ b/debian/mariadb-server-10.4.postinst
@@ -94,6 +94,9 @@ EOF
    chmod 2750 $mysql_logdir
    set -e
+    # Set the correct filesystem ownership for the PAM v2 plugin
+    chown mysql /usr/lib/mysql/plugin/auth_pam_tool_dir
    # This is important to avoid dataloss when there is a removed
    # mysql-server version from Woody lying around which used the same
    # data directory and then somewhen gets purged by the admin.

--- a/debian/rules
+++ b/debian/rules
@@ -146,6 +146,10 @@ endif
 	ln -s libmariadb.so.3 $(TMP)/usr/lib/$(DEB_HOST_MULTIARCH)/libmysqlclient.so.19
 	ln -s libmariadb.so.3 $(TMP)/usr/lib/$(DEB_HOST_MULTIARCH)/libmysqlclient.so.20
+override_dh_fixperms:
+	dh_fixperms
+	chmod 04755 debian/mariadb-server-10.4/usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
+	chmod  0700 debian/mariadb-server-10.4/usr/lib/mysql/plugin/auth_pam_tool_dir
 override_dh_installlogrotate-arch:
 	dh_installlogrotate --name mysql-server

--- a/scripts/mysql_install_db.sh
+++ b/scripts/mysql_install_db.sh
@@ -478,16 +478,8 @@ do
  fi
 done
-if test -n "$user"
+if test -n "$user" -a "$in_rpm" -eq 0
 then
-  chown $user "$pamtooldir/auth_pam_tool_dir" && \
-  chmod 0700 "$pamtooldir/auth_pam_tool_dir"
-  if test $? -ne 0
-  then
-      echo "Cannot change ownership of the '$pamtooldir/auth_pam_tool_dir' directory"
-      echo " to the '$user' user. Check that you have the necessary permissions and try again."
-      exit 1
-  fi
  if test -z "$srcdir"
  then
    chown 0 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool" && \
@@ -499,6 +491,14 @@ then
        echo
    fi
  fi
+  chown $user "$pamtooldir/auth_pam_tool_dir" && \
+  chmod 0700 "$pamtooldir/auth_pam_tool_dir"
+  if test $? -ne 0
+  then
+      echo "Cannot change ownership of the '$pamtooldir/auth_pam_tool_dir' directory"
+      echo " to the '$user' user. Check that you have the necessary permissions and try again."
+      exit 1
+  fi
  args="$args --user=$user"
 fi

--- a/support-files/rpm/server-postin.sh
+++ b/support-files/rpm/server-postin.sh
@@ -69,11 +69,8 @@ if [ $1 = 1 ] ; then
  chmod -R og-rw $datadir/mysql
 fi
-# Set correct filesystem ownership/permissions for the PAM v2 plugin
+# Set the correct filesystem ownership for the PAM v2 plugin
-chown %{mysqld_group} /usr/lib*/mysql/plugin/auth_pam_tool_dir
+chown %{mysqld_user} /usr/lib*/mysql/plugin/auth_pam_tool_dir
-chmod 0700            /usr/lib*/mysql/plugin/auth_pam_tool_dir
-chown 0               /usr/lib*/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
-chmod 04755           /usr/lib*/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
 # install SELinux files - but don't override existing ones
 SETARGETDIR=/etc/selinux/targeted/src/policy