Comments - Authentication Plugin - PAM

11 years, 3 months ago Shane Williams

Alternately, what seems to work is the following:
Add a shadow group;
Chgrp /etc/shadow to shadow & chmod to 640;
Chgrp on /sbin/unix_chkpwd to shadow & chmod so that it's -rwsr-sr-x;

Whether this is more or less secure than adding the mysql user to the shadow group, I'm not entirely sure.

Note that this scheme is borrowed from Ubuntu 12.04 LTS.

 
10 years, 1 month ago Hartmut Holzgraefe

Doesn't work for me (Ubuntu 14.10, Ubuntu distribution MariaDB packages)

"Problem" is that unix_chkpwd explicitly checks that its UID matches the username given as cmdline argument, *unless* the UID is 0 (root). As it checks UID, not EUID, suid chmod magic doesn't make a difference here.

The related check code in unix_chkpwd.c is at https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/unix_chkpwd.c#n129

if (getuid() == 0) { user=argv[1]; } else { user = getuidname(getuid()); /* if the caller specifies the username, verify that user matches it */ if (strcmp(user, argv[1])) { user = argv[1]; /* no match -> permanently change to the real user and proceed */ if (setuid(getuid()) != 0) return PAM_AUTH_ERR; } }

So unless mysqld is running as root the "does the given user name match my UID?" check will only succeed if the mysql user name matches the system user name, e.g. usually pam_unix will work for mysql users "mysql@..." if mysqld is running as unix user "mysql"

 
10 years, 1 month ago Sergei Golubchik

I'm thinking of a solution to this (and other similar problems): MDEV-7032

 
10 years, 1 month ago Hartmut Holzgraefe

Well, the "can only check the users own password unless invoked by root" limitation is there for a reason:

as unix_chkpwd is a local binary and not a service it can be used to perform brute force dictionary attacks against /etc/shadow without a need to have read access to the shadow file otherwise ...

Restricting access to this for root isn't necessary as root can read the shadow file (and other things like changing user passwords) anyway ...

But for any other user starting unix_chkpwd extra care is taken that only the password of this single user can be cracked this way (again not that much harm with this as an attacker must somehow gained access to that user account already anyway)

Any shadow entry for other users are still hidden by the inner working of unix_chkpwd

(adding some comments on MDEV-7032, too ..)

 
10 years, 1 month ago Hartmut Holzgraefe

unix_chkpwd does throttle on wrong credentials being passed in, but that only helps if it is part of a service toolchain as it is with pam_unix

when called directly an attacker doesn't have to wait for the 10s penalty after giving a wrong password but can just start new unix_chkpwd processes without anything putting artificial limits on the number of checks per time unit ...

 
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.