MDEV-30904 "rpm --setugids" breaks PAM authentication

move user/group creation from %post to %pre as Fedora packaging guidelines say. This allows to use %attr() to set the correct ownership of files

MDEV-30904 "rpm --setugids" breaks PAM authentication
move user/group creation from %post to %pre as Fedora packaging guidelines say. This allows to use %attr() to set the correct ownership of files
fe86d04e · Sergei Golubchik · e78ce632 · fe86d04e · fe86d04e · fe86d04e
Commit fe86d04e authored Aug 07, 2023 by Sergei Golubchik
3 changed files
--- a/plugin/auth_pam/CMakeLists.txt
+++ b/plugin/auth_pam/CMakeLists.txt
@@ -42,9 +42,15 @@ IF(HAVE_PAM_APPL_H AND HAVE_GETGROUPLIST)
  IF (TARGET auth_pam)
    MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server)
    TARGET_LINK_LIBRARIES(auth_pam_tool pam)
+    IF (CMAKE_MAJOR_VERSION EQUAL 2)
+      # 2.8.12 bug (in CentOS 7)
+      SET(user mysql)
+    ELSE()
+      SET(user "%{mysqld_user}")
+    ENDIF()
    SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
-        "%attr(700,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
+        "%attr(700,${user},-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
-        "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")
+        "%attr(4755,root,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")
    SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} PARENT_SCOPE)
  ENDIF()
  IF(TARGET auth_pam OR TARGET auth_pam_v1)

--- a/support-files/rpm/server-postin.sh
+++ b/support-files/rpm/server-postin.sh
@@ -37,13 +37,6 @@ if [ $1 = 1 ] ; then
    fi
  fi
-  # Create a MySQL user and group. Do not report any problems if it already
-  # exists.
-  groupadd -r %{mysqld_group} 2> /dev/null || true
-  useradd -M -r --home $datadir --shell /sbin/nologin --comment "MySQL server" --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true
-  # The user may already exist, make sure it has the proper group nevertheless (BUG#12823)
-  usermod --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true
  # Temporary Workaround for MDEV-11386 - will be corrected in Advance Toolchain 10.0-3 and 8.0-8
  for ldconfig in /opt/at*/sbin/ldconfig; do
     test -x $ldconfig && $ldconfig
@@ -69,9 +62,6 @@ if [ $1 = 1 ] ; then
  chmod -R og-rw $datadir/mysql
 fi
-# Set the correct filesystem ownership for the PAM v2 plugin
-chown %{mysqld_user} /usr/lib*/mysql/plugin/auth_pam_tool_dir
 # install SELinux files - but don't override existing ones
 SETARGETDIR=/etc/selinux/targeted/src/policy
 SEDOMPROG=$SETARGETDIR/domains/program

--- a/support-files/rpm/server-prein.sh
+++ b/support-files/rpm/server-prein.sh
@@ -65,3 +65,8 @@ HERE
  fi
 fi
+# Create a MySQL user and group. Do not report any problems if it already exists.
+groupadd -r %{mysqld_group} 2> /dev/null || true
+useradd -M -r --home %{mysqldatadir} --shell /sbin/nologin --comment "MySQL server" --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true
+# The user may already exist, make sure it has the proper group nevertheless (BUG#12823)
+usermod --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true