percona-pam-for-mysql

Add a feature to support supplementary groups

Bug #1160348 reported by Jaime Sicam
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
percona-pam-for-mysql
Fix Released
Wishlist
Sergei Glushchenko

Bug Description

The limitation of the PAM plugin for proxy users is that a lookup for a group is limited to the initial group and not its supplementary groups as discussed in https://bugs.launchpad.net/percona-pam-for-mysql/+bug/1091566

Testing PAM authentication with initial and supplementary groups

Create proxy user:
mysql> create user ''@'' identified with auth_pam as 'mysqld,developer=developer_user';

Note:
mysqld => PAM
''@'' => Proxy user
developer => Unix Group
developer_user => Proxied User

Create proxied user:
mysql> create user developer_user@localhost identified by 'sample_password';

Configure proxy:
mysql> grant proxy on developer_user@localhost to ''@'';
mysql> FLUSH PRIVILEGES;

Create group:
#groupadd developer;

Create users:
#useradd -g developer devuser1
#passwd devuser1
#useradd devuser2
#passwd devuser2

#usermod -G developer devuser2

Testing access:
#mysql -u devuser1 -p
mysql> select user(), current_user(), @@proxy_user;
+--------------------+--------------------------+--------------+
| user() | current_user() | @@proxy_user |
+--------------------+--------------------------+--------------+
| devuser1@localhost | developer_user@localhost | ''@'' |
+--------------------+--------------------------+--------------+

#mysql -u devuser2 -p
mysql> select user(), current_user(), @@proxy_user;
+--------------------+----------------+--------------+
| user() | current_user() | @@proxy_user |
+--------------------+----------------+--------------+
| devuser2@localhost | @ | NULL |
+--------------------+----------------+--------------+

Related branches

lp:~sergei.glushchenko/percona-pam-for-mysql/BT32086-bug1160348
Laurynas Biveinis (community): Approve
Diff: 515 lines (+226/-88)
10 files modified
CMakeLists.txt (+2/-2)
configure.ac (+2/-5)
src/Makefile.am (+6/-3)
src/auth_mapping.c (+53/-61)
src/auth_mapping.h (+2/-7)
src/auth_pam.c (+2/-1)
src/auth_pam_common.c (+6/-8)
src/auth_pam_compat.c (+2/-1)
src/groups.c (+98/-0)
src/groups.h (+53/-0)
Sergei Glushchenko (sergei.glushchenko)
Changed in percona-pam-for-mysql:
assignee: nobody → Sergei Glushchenko (sergei.glushchenko)
status: New → In Progress
Sergei Glushchenko (sergei.glushchenko)
Changed in percona-pam-for-mysql:
status: In Progress → Fix Committed
Laurynas Biveinis (laurynas-biveinis)
Changed in percona-pam-for-mysql:
importance: Undecided → Wishlist
Laurynas Biveinis (laurynas-biveinis)
Changed in percona-pam-for-mysql:
status: Fix Committed → Fix Released
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-97

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.