From fe86d04ea74192c75ab5c90e433fa3cc7a58bd0b Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Mon, 7 Aug 2023 21:02:03 +0200 Subject: [PATCH] MDEV-30904 "rpm --setugids" breaks PAM authentication move user/group creation from %post to %pre as Fedora packaging guidelines say. This allows to use %attr() to set the correct ownership of files --- plugin/auth_pam/CMakeLists.txt | 10 ++++++++-- support-files/rpm/server-postin.sh | 10 ---------- support-files/rpm/server-prein.sh | 5 +++++ 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt index 6d2dc72b097..49e02b339c7 100644 --- a/plugin/auth_pam/CMakeLists.txt +++ b/plugin/auth_pam/CMakeLists.txt @@ -42,9 +42,15 @@ IF(HAVE_PAM_APPL_H AND HAVE_GETGROUPLIST) IF (TARGET auth_pam) MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server) TARGET_LINK_LIBRARIES(auth_pam_tool pam) + IF (CMAKE_MAJOR_VERSION EQUAL 2) + # 2.8.12 bug (in CentOS 7) + SET(user mysql) + ELSE() + SET(user "%{mysqld_user}") + ENDIF() SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} - "%attr(700,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir" - "%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool") + "%attr(700,${user},-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir" + "%attr(4755,root,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool") SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} PARENT_SCOPE) ENDIF() IF(TARGET auth_pam OR TARGET auth_pam_v1) diff --git a/support-files/rpm/server-postin.sh b/support-files/rpm/server-postin.sh index 61c417e3e7d..af19f9df14b 100644 --- a/support-files/rpm/server-postin.sh +++ b/support-files/rpm/server-postin.sh @@ -37,13 +37,6 @@ if [ $1 = 1 ] ; then fi fi - # Create a MySQL user and group. Do not report any problems if it already - # exists. - groupadd -r %{mysqld_group} 2> /dev/null || true - useradd -M -r --home $datadir --shell /sbin/nologin --comment "MySQL server" --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true - # The user may already exist, make sure it has the proper group nevertheless (BUG#12823) - usermod --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true - # Temporary Workaround for MDEV-11386 - will be corrected in Advance Toolchain 10.0-3 and 8.0-8 for ldconfig in /opt/at*/sbin/ldconfig; do test -x $ldconfig && $ldconfig @@ -69,9 +62,6 @@ if [ $1 = 1 ] ; then chmod -R og-rw $datadir/mysql fi -# Set the correct filesystem ownership for the PAM v2 plugin -chown %{mysqld_user} /usr/lib*/mysql/plugin/auth_pam_tool_dir - # install SELinux files - but don't override existing ones SETARGETDIR=/etc/selinux/targeted/src/policy SEDOMPROG=$SETARGETDIR/domains/program diff --git a/support-files/rpm/server-prein.sh b/support-files/rpm/server-prein.sh index d6f77c29e49..200d8bf160f 100644 --- a/support-files/rpm/server-prein.sh +++ b/support-files/rpm/server-prein.sh @@ -65,3 +65,8 @@ HERE fi fi +# Create a MySQL user and group. Do not report any problems if it already exists. +groupadd -r %{mysqld_group} 2> /dev/null || true +useradd -M -r --home %{mysqldatadir} --shell /sbin/nologin --comment "MySQL server" --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true +# The user may already exist, make sure it has the proper group nevertheless (BUG#12823) +usermod --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true