percona-pam-for-mysql

Merge lp:~laurynas-biveinis/percona-pam-for-mysql/bug880344 into lp:percona-pam-for-mysql

  1. bug880344
  2. Merge into percona-pam-for-mysql
Proposed by Laurynas Biveinis
Status: Merged
Approved by: Laurynas Biveinis
Approved revision: 7
Merged at revision: 9
Proposed branch: lp:~laurynas-biveinis/percona-pam-for-mysql/bug880344
Merge into: lp:percona-pam-for-mysql
Prerequisite: lp:~laurynas-biveinis/percona-pam-for-mysql/bug880268
Diff against target: 51 lines (+8/-11)
1 file modified
src/auth_pam.c (+8/-11)
To merge this branch: bzr merge lp:~laurynas-biveinis/percona-pam-for-mysql/bug880344
Reviewer Review Type Date Requested Status
Laurynas Biveinis (community) Approve
Review via email: mp+80147@code.launchpad.net

Description of the change

Fix bug 880344:

The PAM stack may decide to map a given user name to some other user
name. In that case pam_get_item(..., PAM_USER, ...) will return the
mapped user name that is different from
MYSQL_SERVER_AUTH_INFO::user_name.

The current code the copies that value to
MYSQL_SERVER_AUTH_INFO::external_user field, which is incorrect. The
fix copies it to the authenticated_as field, so that the mapped user
name is checked against MySQL user table for privileges.

To post a comment you must log in.
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Approved by Stewart on IRC

review: Approve
lp:~laurynas-biveinis/percona-pam-for-mysql/bug880344 updated
8. By Laurynas Biveinis

Merge from trunk

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'src/auth_pam.c'
--- src/auth_pam.c 2011-10-25 17:46:19 +0000
+++ src/auth_pam.c 2011-10-28 12:48:24 +0000
@@ -80,10 +80,6 @@
80/** The MySQL service name for PAM configuration */80/** The MySQL service name for PAM configuration */
81static const char* service_name= "mysqld";81static const char* service_name= "mysqld";
8282
83/** The maximum length of MYSQL_SERVER_AUTH_INFO::external_user field.
84 Shouldn't be hardcoded in the plugin_auth.h but it is. */
85enum { max_auth_info_external_user_len = 512 };
86
87static int valid_pam_msg_style (int pam_msg_style)83static int valid_pam_msg_style (int pam_msg_style)
88{84{
89 switch (pam_msg_style)85 switch (pam_msg_style)
@@ -202,7 +198,7 @@
202 pam_handle_t *pam_handle;198 pam_handle_t *pam_handle;
203 struct pam_conv conv_func_info= { &vio_server_conv, vio };199 struct pam_conv conv_func_info= { &vio_server_conv, vio };
204 int error;200 int error;
205 char *external_user_name;201 char *pam_mapped_user_name;
206202
207 /* Impossible to tell if PAM will use passwords or something else */203 /* Impossible to tell if PAM will use passwords or something else */
208 info->password_used= PASSWORD_USED_NO_MENTION;204 info->password_used= PASSWORD_USED_NO_MENTION;
@@ -249,7 +245,7 @@
249 }245 }
250246
251 /* Get the authenticated user name from PAM */247 /* Get the authenticated user name from PAM */
252 error= pam_get_item(pam_handle, PAM_USER, (void *)&external_user_name);248 error= pam_get_item(pam_handle, PAM_USER, (void *)&pam_mapped_user_name);
253 if (error != PAM_SUCCESS)249 if (error != PAM_SUCCESS)
254 {250 {
255 pam_end(pam_handle, error);251 pam_end(pam_handle, error);
@@ -257,12 +253,13 @@
257 }253 }
258254
259 /* Check if user name from PAM is the same as provided for MySQL. If255 /* Check if user name from PAM is the same as provided for MySQL. If
260 different, set @@external_user for the current session to the one provided by256 different, use the new user name for MySQL authorization and as
261 PAM. */257 CURRENT_USER() value. */
262 if (strcmp(info->user_name, external_user_name))258 if (strcmp(info->user_name, pam_mapped_user_name))
263 {259 {
264 strncpy(info->external_user, external_user_name,260 strncpy(info->authenticated_as, pam_mapped_user_name,
265 max_auth_info_external_user_len);261 MYSQL_USERNAME_LENGTH);
262 info->authenticated_as[MYSQL_USERNAME_LENGTH]= '\0';
266 }263 }
267264
268 error= pam_end(pam_handle, error);265 error= pam_end(pam_handle, error);

Subscribers

People subscribed via source and target branches