1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MDEV-30904 "rpm --setugids" breaks PAM authentication

Browse Source 
move user/group creation from %post to %pre as Fedora packaging
guidelines say. This allows to use %attr() to set the correct
ownership of files
This commit is contained in:
Sergei Golubchik 2023-08-07 21:02:03 +02:00
parent e78ce63291
commit fe86d04ea7
3 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
plugin/auth_pam/CMakeLists.txt
View File

@ -42,9 +42,15 @@ IF(HAVE_PAM_APPL_H AND HAVE_GETGROUPLIST)
IF (TARGET auth_pam) IF (TARGET auth_pam)
MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server) MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server)
TARGET_LINK_LIBRARIES(auth_pam_tool pam) TARGET_LINK_LIBRARIES(auth_pam_tool pam)
IF (CMAKE_MAJOR_VERSION EQUAL 2)
# 2.8.12 bug (in CentOS 7)
SET(user mysql)
ELSE()
SET(user "%{mysqld_user}")
ENDIF()
SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
"%attr(700,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir" "%attr(700,${user},-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir"
"%attr(4755,-,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool") "%attr(4755,root,-) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool")
SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} PARENT_SCOPE) SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} PARENT_SCOPE)
ENDIF() ENDIF()
IF(TARGET auth_pam OR TARGET auth_pam_v1) IF(TARGET auth_pam OR TARGET auth_pam_v1)

10
support-files/rpm/server-postin.sh
View File

@ -37,13 +37,6 @@ if [ $1 = 1 ] ; then
fi fi
fi fi
# Create a MySQL user and group. Do not report any problems if it already
# exists.
groupadd -r %{mysqld_group} 2> /dev/null || true
useradd -M -r --home $datadir --shell /sbin/nologin --comment "MySQL server" --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true
# The user may already exist, make sure it has the proper group nevertheless (BUG#12823)
usermod --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true
# Temporary Workaround for MDEV-11386 - will be corrected in Advance Toolchain 10.0-3 and 8.0-8 # Temporary Workaround for MDEV-11386 - will be corrected in Advance Toolchain 10.0-3 and 8.0-8
for ldconfig in /opt/at*/sbin/ldconfig; do for ldconfig in /opt/at*/sbin/ldconfig; do
test -x $ldconfig && $ldconfig test -x $ldconfig && $ldconfig
@ -69,9 +62,6 @@ if [ $1 = 1 ] ; then
chmod -R og-rw $datadir/mysql chmod -R og-rw $datadir/mysql
fi fi
# Set the correct filesystem ownership for the PAM v2 plugin
chown %{mysqld_user} /usr/lib*/mysql/plugin/auth_pam_tool_dir
# install SELinux files - but don't override existing ones # install SELinux files - but don't override existing ones
SETARGETDIR=/etc/selinux/targeted/src/policy SETARGETDIR=/etc/selinux/targeted/src/policy
SEDOMPROG=$SETARGETDIR/domains/program SEDOMPROG=$SETARGETDIR/domains/program

5
support-files/rpm/server-prein.sh
View File

@ -65,3 +65,8 @@ HERE
fi fi
fi fi
# Create a MySQL user and group. Do not report any problems if it already exists.
groupadd -r %{mysqld_group} 2> /dev/null || true
useradd -M -r --home %{mysqldatadir} --shell /sbin/nologin --comment "MySQL server" --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true
# The user may already exist, make sure it has the proper group nevertheless (BUG#12823)
usermod --gid %{mysqld_group} %{mysqld_user} 2> /dev/null || true