mariadb: update auth_pam handling

With INSTALL_PAMDIR undefined some items necessary for the auth_pam
module aren't built. This adds the define so that configuration and
shared object become available.

This commit also tightens up the installation of the SUID tool. The
directory it is copied into gets created on the build host already with
u=rwx,g=rx,o=, so it cannot be accessed on target, except by root. The
post-install script then changes group ownership of the directory to the
"mariadb" group only if the directory is really a directory and owned by
"root:root".

Signed-off-by: Sebastian Kemper <redacted>

diff --git a/utils/mariadb/Makefile b/utils/mariadb/Makefile
index 5d5e1629e834978d8a2a816733897607e9008a50..9610b62c3c73313550fd9aa7be6824c603c45385 100644 (file)
--- a/utils/mariadb/Makefile
+++ b/utils/mariadb/Makefile
@@ -366,6 +366,7 @@ CMAKE_OPTIONS += \
        -DINSTALL_MANDIR=share/man \
        -DINSTALL_MYSQLSHAREDIR=share/mariadb \
        -DINSTALL_MYSQLTESTDIR="" \
+       -DINSTALL_PAMDIR="/lib/security" \
        -DINSTALL_PLUGINDIR=lib/mariadb/plugin \
        -DINSTALL_SBINDIR=bin \
        -DINSTALL_SCRIPTDIR=bin \
@@ -544,8 +545,18 @@ This package provides the $(1) plugin.
          $(INSTALL_DIR) $$(1)$(PLUGIN_DIR)
          $(call Package/mariadb/install/plugin,$$(1),$(1))
 ifeq ($(1),auth_pam)
-         $(CP) $(PKG_INSTALL_DIR)$(PLUGIN_DIR)/auth_pam_tool_dir \
-                 $$(1)$(PLUGIN_DIR)
+         $(INSTALL_DIR) -m0750 $$(1)$(PLUGIN_DIR)/auth_pam_tool_dir
+         $(INSTALL_SUID) \
+                 $(PKG_INSTALL_DIR)$(PLUGIN_DIR)/auth_pam_tool_dir/auth_pam_tool \
+                                         $$(1)$(PLUGIN_DIR)/auth_pam_tool_dir
+         $(INSTALL_DIR) $$(1)/etc/security
+         $(INSTALL_DATA) \
+                 $(PKG_INSTALL_DIR)/etc/security/user_map.conf \
+                                         $$(1)/etc/security
+         $(INSTALL_DIR) $$(1)/lib/security
+         $(INSTALL_DATA) \
+                 $(PKG_INSTALL_DIR)/lib/security/pam_user_map.so \
+                                         $$(1)/lib/security
 endif
 ifeq ($(1),ha_spider)
          $(INSTALL_DIR) $$(1)$(SHARE_DIR)
@@ -556,11 +567,18 @@ endif
   $$(eval $$(call BuildPackage,mariadb-server-plugin-$(subst _,-,$(1))))
 endef
 
+# Directory "auth_pam_tool_dir" is installed with '-m0750' above and
+# contains SUID binary "auth_pam_tool". Below post-install script
+# changes the group of "auth_pam_tool_dir" to mariadb, so user mariadb
+# can access the folder (and the SUID binary). The script only changes
+# the group if the directory is currently owned by "root:root".
 define Package/mariadb-server-plugin-auth-pam/postinst
 #!/bin/sh
 if [ -z "$${IPKG_INSTROOT}" ]; then
-  chown root:mariadb /usr/lib/mariadb/plugin/auth_pam_tool_dir > /dev/null 2>&1
-  chmod 0750 /usr/lib/mariadb/plugin/auth_pam_tool_dir > /dev/null 2>&1
+  dir="/usr/lib/mariadb/plugin/auth_pam_tool_dir"
+  if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then
+    chown :mariadb "$$dir"
+  fi
 fi
 exit 0
 endef