[Commits] f8e92e8: merging MDEV-18686 into 10.4.

Alexey Botchkov holyfoot at askmonty.org
Wed May 15 18:06:43 EEST 2019


revision-id: f8e92e8555f3fa1cf563785f428008272f178d66 (mariadb-10.4.4-93-gf8e92e8)
parent(s): ea771624528794449444b2c066ca6171388cdf37
committer: Alexey Botchkov
timestamp: 2019-05-15 19:06:04 +0400
message:

merging MDEV-18686 into 10.4.

---
 mysql-test/suite/plugins/r/pam.result | 20 ++++++++++++++++++++
 mysql-test/suite/plugins/t/pam.test   | 28 ++++++++++++++++++++++++----
 plugin/auth_pam/auth_pam.c            |  6 +++++-
 plugin/auth_pam/auth_pam_base.c       |  5 ++++-
 plugin/auth_pam/auth_pam_common.c     |  5 +++++
 plugin/auth_pam/auth_pam_tool.c       |  3 ++-
 6 files changed, 60 insertions(+), 7 deletions(-)

diff --git a/mysql-test/suite/plugins/r/pam.result b/mysql-test/suite/plugins/r/pam.result
index a16cd7f..12d1319 100644
--- a/mysql-test/suite/plugins/r/pam.result
+++ b/mysql-test/suite/plugins/r/pam.result
@@ -29,4 +29,24 @@ Now, the magic number!
 PIN: ***
 drop user test_pam;
 drop user pam_test;
+create user PAM_TEST identified via pam using 'mariadb_mtr';
+#
+# athentication is unsuccessful
+#
+Challenge input first.
+Enter: not very secret challenge
+Now, the magic number!
+PIN: ****
+set global pam_winbind_workaround=1;
+#
+# athentication is successful
+#
+Challenge input first.
+Enter: not very secret challenge
+Now, the magic number!
+PIN: ****
+select user(), current_user(), database();
+user() current_user()  database()
+PAM_TEST at localhost     PAM_TEST@%      test
+drop user PAM_TEST;
 uninstall plugin pam;
diff --git a/mysql-test/suite/plugins/t/pam.test b/mysql-test/suite/plugins/t/pam.test
index 6bb282f..4040afa 100644
--- a/mysql-test/suite/plugins/t/pam.test
+++ b/mysql-test/suite/plugins/t/pam.test
@@ -22,25 +22,45 @@ EOF
 --echo #
 --echo # athentication is successful, challenge/pin are ok
 --echo # note that current_user() differs from user()
---echo #
---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good.txt
+-echo #
+--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_good.txt
 
 --echo #
 --echo # athentication is unsuccessful
 --echo #
 --error 1
---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_bad.txt
+--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_bad.txt
 
 --echo #
 --echo # athentication is unsuccessful
 --echo #
 --error 1
---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_ugly.txt
+--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_ugly.txt
 
 --remove_file $MYSQLTEST_VARDIR/tmp/pam_good.txt
 --remove_file $MYSQLTEST_VARDIR/tmp/pam_bad.txt
+--remove_file $MYSQLTEST_VARDIR/tmp/pam_ugly.txt
 drop user test_pam;
 drop user pam_test;
+
+create user PAM_TEST identified via pam using 'mariadb_mtr';
+
+--echo #
+--echo # athentication is unsuccessful
+--echo #
+--error 1
+--exec $MYSQL_TEST -u PAM_TEST < $MYSQLTEST_VARDIR/tmp/pam_good.txt
+
+set global pam_winbind_workaround=1;
+--echo #
+--echo # athentication is successful
+--echo #
+--exec $MYSQL_TEST -u PAM_TEST < $MYSQLTEST_VARDIR/tmp/pam_good.txt
+
+--remove_file $MYSQLTEST_VARDIR/tmp/pam_good.txt
+--remove_file $MYSQLTEST_VARDIR/tmp/pam_bad.txt
+drop user PAM_TEST;
+
 let $count_sessions= 1;
 --source include/wait_until_count_sessions.inc
 uninstall plugin pam;
diff --git a/plugin/auth_pam/auth_pam.c b/plugin/auth_pam/auth_pam.c
index 779f6ce..599b323 100644
--- a/plugin/auth_pam/auth_pam.c
+++ b/plugin/auth_pam/auth_pam.c
@@ -28,6 +28,8 @@ static char pam_debug = 0;
 #define PAM_DEBUG(X)   /* no-op */
 #endif
 
+static char winbind_hack = 0;
+
 static char *opt_plugin_dir; /* To be dynamically linked. */
 static const char *tool_name= "auth_pam_tool_dir/auth_pam_tool";
 static const int tool_name_len= 31;
@@ -109,10 +111,12 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
                info->user_name, info->auth_string));
 
 #ifndef DBUG_OFF
-  field= pam_debug;
+  field= pam_debug ? 1 : 0;
 #else
   field= 0;
 #endif
+  field|= winbind_hack ? 2 : 0;
+
   if (write(p_to_c[1], &field, 1) != 1 ||
       write_string(p_to_c[1], (const uchar *) info->user_name,
                                        info->user_name_length) ||
diff --git a/plugin/auth_pam/auth_pam_base.c b/plugin/auth_pam/auth_pam_base.c
index 67a0adb..a23cfcb 100644
--- a/plugin/auth_pam/auth_pam_base.c
+++ b/plugin/auth_pam/auth_pam_base.c
@@ -60,6 +60,8 @@ static char pam_debug = 0;
 #define PAM_DEBUG(X)   /* no-op */
 #endif
 
+static char winbind_hack = 0;
+
 static int conv(int n, const struct pam_message **msg,
                 struct pam_response **resp, void *data)
 {
@@ -161,7 +163,8 @@ static int pam_auth_base(struct param *param, MYSQL_SERVER_AUTH_INFO *info)
   PAM_DEBUG((stderr, "PAM: pam_get_item(PAM_USER)\n"));
   DO( pam_get_item(pamh, PAM_USER, (pam_get_item_3_arg) &new_username) );
 
-  if (new_username && strcmp(new_username, info->user_name))
+  if (new_username &&
+      (winbind_hack ? strcasecmp : strcmp)(new_username, info->user_name))
     strncpy(info->authenticated_as, new_username,
             sizeof(info->authenticated_as));
   info->authenticated_as[sizeof(info->authenticated_as)-1]= 0;
diff --git a/plugin/auth_pam/auth_pam_common.c b/plugin/auth_pam/auth_pam_common.c
index 135feb6..ef8f0f6 100644
--- a/plugin/auth_pam/auth_pam_common.c
+++ b/plugin/auth_pam/auth_pam_common.c
@@ -36,6 +36,10 @@ static MYSQL_SYSVAR_BOOL(use_cleartext_plugin, use_cleartext_plugin,
        "supports simple PAM policies that don't require anything besides "
        "a password", NULL, NULL, 0);
 
+static MYSQL_SYSVAR_BOOL(winbind_workaround, winbind_hack, PLUGIN_VAR_OPCMDARG,
+       "Compare usernames case insensitively to work around pam_winbind "
+       "unconditional username lowercasing", NULL, NULL, 0);
+
 #ifndef DBUG_OFF
 static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG,
        "Log all PAM activity", NULL, NULL, 0);
@@ -44,6 +48,7 @@ static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG,
 
 static struct st_mysql_sys_var* vars[] = {
   MYSQL_SYSVAR(use_cleartext_plugin),
+  MYSQL_SYSVAR(winbind_workaround),
 #ifndef DBUG_OFF
   MYSQL_SYSVAR(debug),
 #endif
diff --git a/plugin/auth_pam/auth_pam_tool.c b/plugin/auth_pam/auth_pam_tool.c
index 95d47dc..6fd30b4 100644
--- a/plugin/auth_pam/auth_pam_tool.c
+++ b/plugin/auth_pam/auth_pam_tool.c
@@ -73,8 +73,9 @@ int main(int argc, char **argv)
   if (read(0, &field, 1) < 1)
     return -1;
 #ifndef DBUG_OFF
-  pam_debug= field;
+  pam_debug= field & 1;
 #endif
+  winbind_hack= field & 2;
   
   PAM_DEBUG((stderr, "PAM: sandbox started [%s].\n", argv[0]));
 


More information about the commits mailing list