diff --git a/SPECS/mariadb.spec b/SPECS/mariadb.spec index bd40bda..2c66727 100644 --- a/SPECS/mariadb.spec +++ b/SPECS/mariadb.spec @@ -61,6 +61,9 @@ # hierarchies and more complex graph structures to be handled in a relational fashion %bcond_without oqgraph +# PAM authentication plugin +%bcond_without pam + # Other plugins %if 0%{?fedora} %bcond_without cracklib @@ -152,7 +155,7 @@ Name: mariadb Version: 10.5.8 -Release: 2%{?with_debug:.debug}%{?dist} +Release: 4%{?with_debug:.debug}%{?dist} Epoch: 3 Summary: A very fast and robust SQL database server @@ -444,6 +447,7 @@ Recommends: %{name}-backup%{?_isa} = %{sameevr} %{?with_sphinx:Suggests: %{name}-sphinx-engine%{?_isa} = %{sameevr}} %{?with_oqgraph:Suggests: %{name}-oqgraph-engine%{?_isa} = %{sameevr}} %{?with_connect:Suggests: %{name}-connect-engine%{?_isa} = %{sameevr}} +%{?with_pam:Suggests: %{name}-pam%{?_isa} = %{sameevr}} Suggests: mytop Suggests: logrotate @@ -588,6 +592,21 @@ This plugin includes support for Kerberos on Unix. %endif +%if %{with pam} +%package pam +Summary: PAM authentication plugin for the MariaDB server + +Requires: %{name}-server%{?_isa} = %{sameevr} +# This subpackage NEED the 'mysql' user/group (created during mariadb-server %pre) to be available prior installation +Requires(pre): %{name}-server%{?_isa} = %{sameevr} + +BuildRequires: pam-devel + +%description pam +PAM authentication server-side plugin for MariaDB. +%endif + + %if %{with sphinx} %package sphinx-engine Summary: The Sphinx storage engine for MariaDB @@ -1416,10 +1435,6 @@ fi %dir %{_libdir}/%{pkg_name} %dir %{_libdir}/%{pkg_name}/plugin -# Change from root:root to mysql:mysql, so it can be accessed by the server -%attr(0755,mysql,mysql) %dir %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir -%{_libdir}/security/pam_user_map.so -%{_sysconfdir}/security/user_map.conf %{_libdir}/%{pkg_name}/plugin/* %{?with_oqgraph:%exclude %{_libdir}/%{pkg_name}/plugin/ha_oqgraph.so} %{?with_connect:%exclude %{_libdir}/%{pkg_name}/plugin/ha_connect.so} @@ -1433,6 +1448,11 @@ fi %exclude %{_libdir}/%{pkg_name}/plugin/mysql_clear_password.so %endif +# PAM plugin; moved to a standalone sub-package +%exclude %{_libdir}/%{pkg_name}/plugin/{auth_pam_v1.so,auth_pam.so} +%exclude %dir %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir +%exclude %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir/auth_pam_tool + %{_mandir}/man1/aria_{chk,dump_log,ftdump,pack,read_log,s3_copy}.1* %{_mandir}/man1/galera_new_cluster.1* %{_mandir}/man1/galera_recovery.1* @@ -1554,6 +1574,16 @@ fi %config(noreplace) %{_sysconfdir}/my.cnf.d/auth_gssapi.cnf %endif +%if %{with pam} +%files pam +%{_libdir}/%{pkg_name}/plugin/{auth_pam_v1.so,auth_pam.so} +%attr(0755,root,root) %dir %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir +# SUID-to-root binary. Access MUST be restricted (https://jira.mariadb.org/browse/MDEV-25126) +%attr(4750,root,mysql) %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir/auth_pam_tool +%{_libdir}/security/pam_user_map.so +%{_sysconfdir}/security/user_map.conf +%endif + %if %{with sphinx} %files sphinx-engine %{_libdir}/%{pkg_name}/plugin/ha_sphinx.so @@ -1631,6 +1661,12 @@ fi %endif %changelog +* Fri Mar 19 2021 Michal Schorm - 10.5.8-4 +- Move the PAM plugin to a standalone sub-package + +* Thu Mar 18 2021 Michal Schorm - 10.5.8-3 +- Fix permissions of the PAMv2 plugin files + * Tue Feb 16 2021 Michal Schorm - 10.5.8-2 - Bump release after several commits cherry-picked from Fedora Rawhide