percona-pam-for-mysql

Merge lp:~laurynas-biveinis/percona-pam-for-mysql/bug880344 into lp:percona-pam-for-mysql

  1. bug880344
  2. Merge into percona-pam-for-mysql
Proposed by Laurynas Biveinis
Status: Merged
Approved by: Laurynas Biveinis
Approved revision: 7
Merged at revision: 9
Proposed branch: lp:~laurynas-biveinis/percona-pam-for-mysql/bug880344
Merge into: lp:percona-pam-for-mysql
Prerequisite: lp:~laurynas-biveinis/percona-pam-for-mysql/bug880268
Diff against target: 51 lines (+8/-11)
1 file modified
src/auth_pam.c (+8/-11)
To merge this branch: bzr merge lp:~laurynas-biveinis/percona-pam-for-mysql/bug880344
Reviewer Review Type Date Requested Status
Laurynas Biveinis (community) Approve
Review via email: mp+80147@code.launchpad.net

Description of the change

Fix bug 880344:

The PAM stack may decide to map a given user name to some other user
name. In that case pam_get_item(..., PAM_USER, ...) will return the
mapped user name that is different from
MYSQL_SERVER_AUTH_INFO::user_name.

The current code the copies that value to
MYSQL_SERVER_AUTH_INFO::external_user field, which is incorrect. The
fix copies it to the authenticated_as field, so that the mapped user
name is checked against MySQL user table for privileges.

To post a comment you must log in.
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Approved by Stewart on IRC

review: Approve
lp:~laurynas-biveinis/percona-pam-for-mysql/bug880344 updated
8. By Laurynas Biveinis

Merge from trunk

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/auth_pam.c'
2--- src/auth_pam.c 2011-10-25 17:46:19 +0000
3+++ src/auth_pam.c 2011-10-28 12:48:24 +0000
4@@ -80,10 +80,6 @@
5 /** The MySQL service name for PAM configuration */
6 static const char* service_name= "mysqld";
7
8-/** The maximum length of MYSQL_SERVER_AUTH_INFO::external_user field.
9- Shouldn't be hardcoded in the plugin_auth.h but it is. */
10-enum { max_auth_info_external_user_len = 512 };
11-
12 static int valid_pam_msg_style (int pam_msg_style)
13 {
14 switch (pam_msg_style)
15@@ -202,7 +198,7 @@
16 pam_handle_t *pam_handle;
17 struct pam_conv conv_func_info= { &vio_server_conv, vio };
18 int error;
19- char *external_user_name;
20+ char *pam_mapped_user_name;
21
22 /* Impossible to tell if PAM will use passwords or something else */
23 info->password_used= PASSWORD_USED_NO_MENTION;
24@@ -249,7 +245,7 @@
25 }
26
27 /* Get the authenticated user name from PAM */
28- error= pam_get_item(pam_handle, PAM_USER, (void *)&external_user_name);
29+ error= pam_get_item(pam_handle, PAM_USER, (void *)&pam_mapped_user_name);
30 if (error != PAM_SUCCESS)
31 {
32 pam_end(pam_handle, error);
33@@ -257,12 +253,13 @@
34 }
35
36 /* Check if user name from PAM is the same as provided for MySQL. If
37- different, set @@external_user for the current session to the one provided by
38- PAM. */
39- if (strcmp(info->user_name, external_user_name))
40+ different, use the new user name for MySQL authorization and as
41+ CURRENT_USER() value. */
42+ if (strcmp(info->user_name, pam_mapped_user_name))
43 {
44- strncpy(info->external_user, external_user_name,
45- max_auth_info_external_user_len);
46+ strncpy(info->authenticated_as, pam_mapped_user_name,
47+ MYSQL_USERNAME_LENGTH);
48+ info->authenticated_as[MYSQL_USERNAME_LENGTH]= '\0';
49 }
50
51 error= pam_end(pam_handle, error);

Subscribers

People subscribed via source and target branches