Move PAM authentication plugin to a standalone sub-package, suggested by the server sub-package to minimize potential security risks to only to the users which will install this plugin. https://jira.mariadb.org/browse/MDEV-25126

This commit is contained in:
Michal Schorm 2021-03-17 05:16:47 +01:00
parent c356ff4717
commit 51cd6d3ae2

View File

@ -61,6 +61,9 @@
# hierarchies and more complex graph structures to be handled in a relational fashion
%bcond_without oqgraph
# PAM authentication plugin
%bcond_without pam
# Other plugins
# S3 storage engine
# https://mariadb.com/kb/en/s3-storage-engine/
@ -242,8 +245,6 @@ BuildRequires: bison bison-devel
%{?with_debug:BuildRequires: valgrind-devel}
# auth_pam.so plugin will be build if pam-devel is installed
BuildRequires: pam-devel
# use either new enough version of pcre2 or provide bundles(pcre2)
%{?with_unbundled_pcre:BuildRequires: pcre2-devel >= 10.34 pkgconf}
%{!?with_unbundled_pcre:Provides: bundled(pcre2) = %{pcre_bundled_version}}
@ -445,6 +446,7 @@ Recommends: %{name}-backup%{?_isa} = %{sameevr}
%{?with_sphinx:Suggests: %{name}-sphinx-engine%{?_isa} = %{sameevr}}
%{?with_oqgraph:Suggests: %{name}-oqgraph-engine%{?_isa} = %{sameevr}}
%{?with_connect:Suggests: %{name}-connect-engine%{?_isa} = %{sameevr}}
%{?with_pam:Suggests: %{name}-pam%{?_isa} = %{sameevr}}
Suggests: mytop
Suggests: logrotate
@ -589,6 +591,21 @@ This plugin includes support for Kerberos on Unix.
%endif
%if %{with pam}
%package pam
Summary: PAM authentication plugin for the MariaDB server
Requires: %{name}-server%{?_isa} = %{sameevr}
# This subpackage NEED the 'mysql' user/group (created during mariadb-server %pre) to be available prior installation
Requires(pre): %{name}-server%{?_isa} = %{sameevr}
BuildRequires: pam-devel
%description pam
PAM authentication server-side plugin for MariaDB.
%endif
%if %{with sphinx}
%package sphinx-engine
Summary: The Sphinx storage engine for MariaDB
@ -1450,11 +1467,10 @@ fi
%exclude %{_libdir}/%{pkg_name}/plugin/mysql_clear_password.so
%endif
%attr(0755,root,root) %dir %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir
# SUID-to-root binary. Access MUST be restricted (https://jira.mariadb.org/browse/MDEV-25126)
%attr(4750,root,mysql) %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir/auth_pam_tool
%{_libdir}/security/pam_user_map.so
%{_sysconfdir}/security/user_map.conf
# PAM plugin; moved to a standalone sub-package
%exclude %{_libdir}/%{pkg_name}/plugin/{auth_pam_v1.so,auth_pam.so}
%exclude %dir %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir
%exclude %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir/auth_pam_tool
%{_mandir}/man1/aria_{chk,dump_log,ftdump,pack,read_log}.1*
%{_mandir}/man1/galera_new_cluster.1*
@ -1577,6 +1593,16 @@ fi
%config(noreplace) %{_sysconfdir}/my.cnf.d/auth_gssapi.cnf
%endif
%if %{with pam}
%files pam
%{_libdir}/%{pkg_name}/plugin/{auth_pam_v1.so,auth_pam.so}
%attr(0755,root,root) %dir %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir
# SUID-to-root binary. Access MUST be restricted (https://jira.mariadb.org/browse/MDEV-25126)
%attr(4750,root,mysql) %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir/auth_pam_tool
%{_libdir}/security/pam_user_map.so
%{_sysconfdir}/security/user_map.conf
%endif
%if %{with sphinx}
%files sphinx-engine
%{_libdir}/%{pkg_name}/plugin/ha_sphinx.so