From: Sebastian Kemper Date: Mon, 11 May 2020 20:28:06 +0000 (+0200) Subject: mariadb: update auth_pam handling X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=b16e9c1e2d73cb06eddbe8cec1429a2e6386ea59;p=openwrt-packages.git mariadb: update auth_pam handling With INSTALL_PAMDIR undefined some items necessary for the auth_pam module aren't built. This adds the define so that configuration and shared object become available. This commit also tightens up the installation of the SUID tool. The directory it is copied into gets created on the build host already with u=rwx,g=rx,o=, so it cannot be accessed on target, except by root. The post-install script then changes group ownership of the directory to the "mariadb" group only if the directory is really a directory and owned by "root:root". Signed-off-by: Sebastian Kemper --- diff --git a/utils/mariadb/Makefile b/utils/mariadb/Makefile index 5d5e1629e..9610b62c3 100644 --- a/utils/mariadb/Makefile +++ b/utils/mariadb/Makefile @@ -366,6 +366,7 @@ CMAKE_OPTIONS += \ -DINSTALL_MANDIR=share/man \ -DINSTALL_MYSQLSHAREDIR=share/mariadb \ -DINSTALL_MYSQLTESTDIR="" \ + -DINSTALL_PAMDIR="/lib/security" \ -DINSTALL_PLUGINDIR=lib/mariadb/plugin \ -DINSTALL_SBINDIR=bin \ -DINSTALL_SCRIPTDIR=bin \ @@ -544,8 +545,18 @@ This package provides the $(1) plugin. $(INSTALL_DIR) $$(1)$(PLUGIN_DIR) $(call Package/mariadb/install/plugin,$$(1),$(1)) ifeq ($(1),auth_pam) - $(CP) $(PKG_INSTALL_DIR)$(PLUGIN_DIR)/auth_pam_tool_dir \ - $$(1)$(PLUGIN_DIR) + $(INSTALL_DIR) -m0750 $$(1)$(PLUGIN_DIR)/auth_pam_tool_dir + $(INSTALL_SUID) \ + $(PKG_INSTALL_DIR)$(PLUGIN_DIR)/auth_pam_tool_dir/auth_pam_tool \ + $$(1)$(PLUGIN_DIR)/auth_pam_tool_dir + $(INSTALL_DIR) $$(1)/etc/security + $(INSTALL_DATA) \ + $(PKG_INSTALL_DIR)/etc/security/user_map.conf \ + $$(1)/etc/security + $(INSTALL_DIR) $$(1)/lib/security + $(INSTALL_DATA) \ + $(PKG_INSTALL_DIR)/lib/security/pam_user_map.so \ + $$(1)/lib/security endif ifeq ($(1),ha_spider) $(INSTALL_DIR) $$(1)$(SHARE_DIR) @@ -556,11 +567,18 @@ endif $$(eval $$(call BuildPackage,mariadb-server-plugin-$(subst _,-,$(1)))) endef +# Directory "auth_pam_tool_dir" is installed with '-m0750' above and +# contains SUID binary "auth_pam_tool". Below post-install script +# changes the group of "auth_pam_tool_dir" to mariadb, so user mariadb +# can access the folder (and the SUID binary). The script only changes +# the group if the directory is currently owned by "root:root". define Package/mariadb-server-plugin-auth-pam/postinst #!/bin/sh if [ -z "$${IPKG_INSTROOT}" ]; then - chown root:mariadb /usr/lib/mariadb/plugin/auth_pam_tool_dir > /dev/null 2>&1 - chmod 0750 /usr/lib/mariadb/plugin/auth_pam_tool_dir > /dev/null 2>&1 + dir="/usr/lib/mariadb/plugin/auth_pam_tool_dir" + if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then + chown :mariadb "$$dir" + fi fi exit 0 endef