Comment 20 for bug 1274821
Revision history for this message
| Sergei Glushchenko (sergei.glushchenko) wrote | #20 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I've done little debugging and found that bug doesn't related to
failed readlink. It turned out to be just pam_unix.so is broken on
Centos 5 for non-root caller. If one is using the trick with adding
mysql user to shadow group or changing /etc/shadow's owner group to
mysql, then mysqld can access /etc/shadow and authenticate user
against it. That is how 'auth' module of pam_unix.so does. It gets
password hash from /etc/shadow and compares it with password user
trying to login with. Then 'account' module of auth_pam.so should
check whether the user is valid. Validation includes checks that
user is existent and it's password is not blank, and it's account
isn't expired and so on. It should be done in our case, again,
against /etc/shadow.
The trouble here is that pam_unix from CentOS 5 is patched by RedHat
such a way that 'account' module first verifies caller's (mysqld)
process UID (mysql in our case) and if it is not 0 (not root) fires
PAM_INGNORE.
"Ignore underlying account module regardless of whether the control
flag is required, optional, or sufficient" -- that is how PAM_IGNORE
described.
So, PAM falls back to pam_deny.so for 'account'. Now adding
'pam_permit.so' makes user to be able to bypass 'account' without
any checks.
To summarize.
1. We have nothing to fix in Percona PAM plugin.
2. pam_unix.so in CentOS 5 is broken.
3. Adding pam_permit.so makes user to bypass account checks, which
is security concern.