rpms / mariadb

Clone
Source Code
GIT

#31 pam: install extra systemd access for pam
Closed 3 years ago by danielblack_mariadb. Opened 3 years ago by danielblack_mariadb.
rpms/ danielblack_mariadb/mariadb pam  into  rawhide

file modified
+8 
@@ -181,6 +181,7 @@ 
 

  Source15:         mysql-scripts-common.sh
 

  Source16:         mysql-check-upgrade.sh
 

  Source18:         mysql@.service.in
 

+ Source19:         pam-extention-mysql.service
 

  Source50:         rh-skipped-tests-base.list
 

  Source51:         rh-skipped-tests-arm.list
 

  Source52:         rh-skipped-tests-s390.list
 
@@ -995,6 +996,11 @@ 
 

  install -D -p -m 644 %{_vpath_builddir}/scripts/mysql.service %{buildroot}%{_unitdir}/%{daemon_name}.service
 

  install -D -p -m 644 %{_vpath_builddir}/scripts/mysql@.service %{buildroot}%{_unitdir}/%{daemon_name}@.service
 

  

+ %if %{with pam}
 

+ install -D -p -m 0644 %{SOURCE19} %{buildroot}%{_unitdir}/%{daemon_name}.service.d/pam.conf
 

+ install -D -p -m 0644 %{SOURCE19} %{buildroot}%{_unitdir}/%{daemon_name}@.service.d/pam.conf
 

+ %endif
 

+ 

  # helper scripts for service starting
 

  install -p -m 755 %{_vpath_builddir}/scripts/mysql-prepare-db-dir %{buildroot}%{_libexecdir}/mysql-prepare-db-dir
 

  install -p -m 755 %{_vpath_builddir}/scripts/mysql-check-socket %{buildroot}%{_libexecdir}/mysql-check-socket
 
@@ -1593,6 +1599,8 @@ 
 

  %attr(4750,root,mysql) %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir/auth_pam_tool
 

  %{_libdir}/security/pam_user_map.so
 

  %{_sysconfdir}/security/user_map.conf
 

+ %{_unitdir}/%{daemon_name}.service.d/pam.conf
 

+ %{_unitdir}/%{daemon_name}@.service.d/pam.conf
 

  %endif
 

  

  %if %{with sphinx}

file added
+7 
@@ -0,0 +1,7 @@ 
 

+ 

+ [Service]
 

+ 

+ # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
 

+ #   does nothing for non-root, not needed if /etc/shadow is u+r
 

+ 

+ CapabilityBoundingSet=CAP_DAC_OVERRIDE

I will need some more explanation as, why we need this capability.

For me, the PAM v2 is working just fine on Fedora, so I don't see the reason to add something to it.

Can you please explain to me why we need this?

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

rebased onto 3c5346c
3 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

@ljavorsk please review it, since you recently dealt with the capabilities

It probably only the beginning of what's needed:
systemd daemon-reload triggers?
 a /etc/my.cnf.d/pam.conf - plugin_load_add =auth_pam - https://mariadb.com/kb/en/authentication-plugin-pam/#installing-the-plugin
* /etc/pam.d/mariadb which is well into the distribution policy

I will need some more explanation as, why we need this capability.

For me, the PAM v2 is working just fine on Fedora, so I don't see the reason to add something to it.

Can you please explain to me why we need this?

Ok. You're probably right. I've potentially done some testing of pam that wasn't correctly restored.

Pull-Request has been closed by danielblack_mariadb
3 years ago
Metadata
None
No Tags
Changes Summary 2
+8 -0
file changed
mariadb.spec
+7
file added
pam-extention-mysql.service
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.