MDEV-6284: Sync correct Debian handling of auth_pam_tool

Manages the security risk in way that also fixes Lintian warning: W: mariadb-server-10.5: setuid-binary usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool 4755 root/root Applied downstream in https://salsa.debian.org/mariadb-team/mariadb-10.4/-/commit/9605a48a99a61f439698676da192799de45d732a

MDEV-6284: Sync correct Debian handling of auth_pam_tool
Manages the security risk in way that also fixes Lintian warning: W: mariadb-server-10.5: setuid-binary usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool 4755 root/root Applied downstream in https://salsa.debian.org/mariadb-team/mariadb-10.4/-/commit/9605a48a99a61f439698676da192799de45d732a
a4c54805 · Otto Kekäläinen · Vicențiu-Marian Ciorbaru · 4e946b0f · a4c54805 · a4c54805
Commit a4c54805 authored Apr 08, 2020 by Otto Kekäläinen Committed by Vicențiu-Marian Ciorbaru Apr 19, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 6 deletions

debian/mariadb-server-10.5.postinst debian/mariadb-server-10.5.postinst +17 -1

debian/rules debian/rules +0 -5

No files found.
--- a/debian/mariadb-server-10.5.postinst
+++ b/debian/mariadb-server-10.5.postinst
@@ -95,7 +95,23 @@ EOF
    chmod 2750 $mysql_logdir
    set -e

-    # Set the correct filesystem ownership for the PAM v2 plugin
+    ## Set the correct filesystem ownership for the PAM v2 plugin
+    # eg. /usr/lib/x86_64-linux-gnu/mysql/plugin/auth_pam_tool_dir/
+    # NOTE! This is security sensitive, don't allow for a race condition.
+    #
+    # 1. Drop privileges of directory
+    # -> At this point only root can see and execute auth_pam_tool
+    chmod 0700 /usr/lib/mysql/plugin/auth_pam_tool_dir
+    #
+    # 2. Make binary setuid
+    # -> At this point only root can run the setuid binary so no escalation here yet
+    chmod 04755 /usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
+    #
+    # 3. Allow user 'mysql' to see and execute auth_pam_tool
+    # -> Now user mysql owns the directory and can see and execute the binary inside
+    # -> Since the binary is setuid, user mysql gets limited root powers here to
+    #    run the PAM authetications, which need root (e.g. to validate passwords
+    #    against /etc/shadow)
    chown mysql /usr/lib/mysql/plugin/auth_pam_tool_dir

    # This is important to avoid dataloss when there is a removed

--- a/debian/rules
+++ b/debian/rules
@@ -164,11 +164,6 @@ endif
 	# Move test plugins that are only needed by the client to the libmariadb path
 	mv -v $(TMP)/usr/lib/mysql/plugin/qa_auth_client.so $(TMP)/usr/lib/$(DEB_HOST_MULTIARCH)/libmariadb3/plugin/

-override_dh_fixperms:
-	dh_fixperms
-	chmod 04755 debian/mariadb-server-10.5/usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
-	chmod  0700 debian/mariadb-server-10.5/usr/lib/mysql/plugin/auth_pam_tool_dir
-
 override_dh_installlogrotate-arch:
 	dh_installlogrotate --name mysql-server