mariadb: update auth_pam handling
With INSTALL_PAMDIR undefined some items necessary for the auth_pam module aren't built. This adds the define so that configuration and shared object become available. This commit also tightens up the installation of the SUID tool. The directory it is copied into gets created on the build host already with u=rwx,g=rx,o=, so it cannot be accessed on target, except by root. The post-install script then changes group ownership of the directory to the "mariadb" group only if the directory is really a directory and owned by "root:root". Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit is contained in:
Sebastian Kemper
parent
19de52a044
commit
b16e9c1e2d
|
|
@ -366,6 +366,7 @@ CMAKE_OPTIONS += \
|
|||
-DINSTALL_MANDIR=share/man \
|
||||
-DINSTALL_MYSQLSHAREDIR=share/mariadb \
|
||||
-DINSTALL_MYSQLTESTDIR="" \
|
||||
-DINSTALL_PAMDIR="/lib/security" \
|
||||
-DINSTALL_PLUGINDIR=lib/mariadb/plugin \
|
||||
-DINSTALL_SBINDIR=bin \
|
||||
-DINSTALL_SCRIPTDIR=bin \
|
||||
|
|
@ -544,8 +545,18 @@ This package provides the $(1) plugin.
|
|||
$(INSTALL_DIR) $$(1)$(PLUGIN_DIR)
|
||||
$(call Package/mariadb/install/plugin,$$(1),$(1))
|
||||
ifeq ($(1),auth_pam)
|
||||
$(CP) $(PKG_INSTALL_DIR)$(PLUGIN_DIR)/auth_pam_tool_dir \
|
||||
$$(1)$(PLUGIN_DIR)
|
||||
$(INSTALL_DIR) -m0750 $$(1)$(PLUGIN_DIR)/auth_pam_tool_dir
|
||||
$(INSTALL_SUID) \
|
||||
$(PKG_INSTALL_DIR)$(PLUGIN_DIR)/auth_pam_tool_dir/auth_pam_tool \
|
||||
$$(1)$(PLUGIN_DIR)/auth_pam_tool_dir
|
||||
$(INSTALL_DIR) $$(1)/etc/security
|
||||
$(INSTALL_DATA) \
|
||||
$(PKG_INSTALL_DIR)/etc/security/user_map.conf \
|
||||
$$(1)/etc/security
|
||||
$(INSTALL_DIR) $$(1)/lib/security
|
||||
$(INSTALL_DATA) \
|
||||
$(PKG_INSTALL_DIR)/lib/security/pam_user_map.so \
|
||||
$$(1)/lib/security
|
||||
endif
|
||||
ifeq ($(1),ha_spider)
|
||||
$(INSTALL_DIR) $$(1)$(SHARE_DIR)
|
||||
|
|
@ -556,11 +567,18 @@ endif
|
|||
$$(eval $$(call BuildPackage,mariadb-server-plugin-$(subst _,-,$(1))))
|
||||
endef
|
||||
|
||||
# Directory "auth_pam_tool_dir" is installed with '-m0750' above and
|
||||
# contains SUID binary "auth_pam_tool". Below post-install script
|
||||
# changes the group of "auth_pam_tool_dir" to mariadb, so user mariadb
|
||||
# can access the folder (and the SUID binary). The script only changes
|
||||
# the group if the directory is currently owned by "root:root".
|
||||
define Package/mariadb-server-plugin-auth-pam/postinst
|
||||
#!/bin/sh
|
||||
if [ -z "$${IPKG_INSTROOT}" ]; then
|
||||
chown root:mariadb /usr/lib/mariadb/plugin/auth_pam_tool_dir > /dev/null 2>&1
|
||||
chmod 0750 /usr/lib/mariadb/plugin/auth_pam_tool_dir > /dev/null 2>&1
|
||||
dir="/usr/lib/mariadb/plugin/auth_pam_tool_dir"
|
||||
if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then
|
||||
chown :mariadb "$$dir"
|
||||
fi
|
||||
fi
|
||||
exit 0
|
||||
endef
|
||||
|
|
|
|||
Loading…
Reference in New Issue