Percona Server moved to https://jira.percona.com/projects/PS

Percona PAM doesn't support spaces for groups

Bug #1544443 reported by Jaime Sicam
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Fix Released
Medium
Sergei Glushchenko
Percona Server moved to https://jira.percona.com/projects/PS 5.5.51-38.1
5.6
Fix Released
Medium
Sergei Glushchenko
Percona Server moved to https://jira.percona.com/projects/PS 5.6.32-78.0
5.7
Fix Released
Medium
Sergei Glushchenko
Percona Server moved to https://jira.percona.com/projects/PS 5.7.14-7

Bug Description

Let's say "tuser" is part of group "mysql ro" in LDAP

create user ''@'' identified with auth_pam as 'mysqld,"mysql ro"=readuser';
grant proxy on readuser@localhost to ''@'';
grant select on *.* to readuser@localhost;
flush privileges;

Result:

mysql> select user(), current_user(), @@proxy_user;
+-------------------+----------------+--------------+
| user() | current_user() | @@proxy_user |
+-------------------+----------------+--------------+
| tuser@localhost | @ | NULL |
+-------------------+----------------+--------------+
1 row in set (0.00 sec)

It should be that current_user() and @@proxy_user should have values readuser@localhost and ''@'' respectively.

If this is a bug, please also include fix to support special characters like backslashes too for groups so we can support groups in ActiveDirectory. Eg. "DOMAIN\mysqlreadonlygroups"

Tags: i65327
Revision history for this message
Jaime Sicam (jssicam) wrote :

Updates:
The group name supports hyphen(eg. my-group) but for authentication it requires that it be case sensitive which is the same for providing the user too.

Unfortunately, for testing spaces in group, it requires Samba/Active Directory because these infra supports spaces in groups.

Jaime Sicam (jssicam)
Changed in percona-pam-for-mysql:
status: New → Incomplete
summary: - Percona PAM doesn't support spaces for supplementary groups
+ Percona PAM doesn't support spaces for groups
Revision history for this message
Jaime Sicam (jssicam) wrote :
Download full text (4.6 KiB)

To reproduce:

Sample LDAP accounts. Take note that LDAP and Active directory allows groups with spaces:
[root@9292447ef160 ~]# id rjennings
uid=10005(rjennings) gid=10001(dba) groups=10001(dba),10003(database_administrators)
[root@9292447ef160 ~]# id bmccray
uid=10001(bmccray) gid=10000(domain users) groups=10000(domain users),10001(dba)
[root@9292447ef160 ~]# id erosales
uid=10002(erosales) gid=10000(domain users) groups=10000(domain users),10002(developer)
[root@9292447ef160 ~]# id hmcdaniel
uid=10003(hmcdaniel) gid=10000(domain users) groups=10000(domain users),10004(api developers)
[root@9292447ef160 ~]# id lnunez
uid=10004(lnunez) gid=10000(domain users) groups=10000(domain users)

PAM plugin setup:
mysql> delete from mysql.user where user='';
Query OK, 2 rows affected (0.00 sec)
mysql> INSTALL PLUGIN auth_pam SONAME 'auth_pam.so';
Query OK, 0 rows affected (0.00 sec)
mysql> create user ''@'' identified with auth_pam as 'mysqld,dba=mysql_dba,developer=mysql_dev,api developers=mysql_api';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all privileges on *.* to mysql_dba@'%' ;
Query OK, 0 rows affected (0.00 sec)
mysql> grant all privileges on *.* to mysql_dba@'%' with grant option;
Query OK, 0 rows affected (0.00 sec)
mysql> grant insert,select,update,delete on *.* to 'mysql_dev'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> grant insert,select on *.* to 'mysql_api'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> grant proxy on mysql_dba@'%' to ''@'';
Query OK, 0 rows affected (0.00 sec)
mysql> grant proxy on mysql_dev@'%' to ''@'';
Query OK, 0 rows affected (0.00 sec)
mysql> grant proxy on mysql_api@'%' to ''@'';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

If I login as hmcdaniel, it's effective user is not mysql_api which is wrong. The pam plugin failed to evaluate the "api developers" group:
mysql -u hmcdaniel
mysql> select user(), current_user(), @@proxy_user;
+---------------------+----------------+--------------+
| user() | current_user() | @@proxy_user |
 +---------------------+----------------+--------------+
| hmcdaniel@localhost | @ | NULL |
 +---------------------+----------------+--------------+
1 row in set (0.00 sec)

/var/log/secure gives more information on this:
Jul 31 03:08:01 9292447ef160 Percona PAM[594]: User to match: hmcdaniel
Jul 31 03:08:01 9292447ef160 Percona PAM[594]: Authentication string: dba=mysql_dba,developer=mysql_dev,api developers=mysql_api
Jul 31 03:08:01 9292447ef160 Percona PAM[594]: Comparing group domain users with group in authenication string dba
Jul 31 03:08:01 9292447ef160 Percona PAM[594]: Comparing group api developers with group in authenication string dba
Jul 31 03:08:01 9292447ef160 Percona PAM[594]: Authentication string: developer=mysql_dev,api developers=mysql_api
Jul 31 03:08:01 9292447ef160 Percona PAM[594]: Comparing group domain users with group in authenication string developer
Jul 31 03:08:01 9292447ef160 Percona PAM[594]: Comparing group api developers with group in authenication string developer
Jul 31 03:08:01 9292447ef160 Percona PAM[594]: No group matches for user: hmcd...

Read more...

Revision history for this message
Jaime Sicam (jssicam) wrote :

I believe the issue is with line 74 of auth_mapping.c which ignores spaces for tokens. However, you can't just simply remove "!isspace(*ptr)" because if the authentication string has spaces, it won't be able to parse tokens properly:
Eg.
"dba=mysql_dba,developer=mysql_dev,api developers=mysql_api" //This would work
"dba=mysql_dba, developer=mysql_dev, api_developers=mysql_api" //This would no longer work
 74 while (*ptr && !isspace(*ptr) && *ptr != ',' && *ptr != '=')
 75 {
 76 ++token->token_len;
 77 ++ptr;
 78 }

Changed in percona-pam-for-mysql:
status: Incomplete → Confirmed
Sergei Glushchenko (sergei.glushchenko)
Changed in percona-server:
status: New → Confirmed
no longer affects: percona-pam-for-mysql
Revision history for this message
Sergei Glushchenko (sergei.glushchenko) wrote :

https://github.com/percona/percona-server/pull/803
https://github.com/percona/percona-server/pull/804
https://github.com/percona/percona-server/pull/805

Revision history for this message
Sergei Glushchenko (sergei.glushchenko) wrote :

It is now possible to quote identifiers with double quotes. Example:

CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysqld, "data entry members" = data_entry, _developer="developer"';

Revision history for this message
Jaime Sicam (jssicam) wrote :

I added debug messages for testing

Revision history for this message
Jaime Sicam (jssicam) wrote :

This contains the changes I made to auth_mapping.c ti to add debug messages and stream it to syslog

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-1695

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.