diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2016-07-26 12:34:04 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2016-08-24 20:41:26 +0200 |
| commit | ea91bb6801b1b619d64fa137ea351eca9de683ec (patch) | |
| tree | bcfa04a55541d53d4dbd9abbf8b3d4cb698d3c67 | |
| parent | d0d99dec914d409d7889fcec2efd126edad10bde (diff) | |
| download | mariadb-git-ea91bb6801b1b619d64fa137ea351eca9de683ec.tar.gz | |
MDEV-10361 Crash in pam_securid.so with auth_pam connecting from SQLyog
auth_pam: debug output
| -rw-r--r-- | mysql-test/include/default_mysqld.cnf | 2 | ||||
| -rw-r--r-- | mysql-test/suite/plugins/r/pam_cleartext.result | 2 | ||||
| -rw-r--r-- | mysql-test/suite/plugins/t/pam_cleartext.test | 2 | ||||
| -rw-r--r-- | plugin/auth_pam/auth_pam.c | 30 |
4 files changed, 34 insertions, 2 deletions
diff --git a/mysql-test/include/default_mysqld.cnf b/mysql-test/include/default_mysqld.cnf index 17b2fd5b2bc..b5b16461781 100644 --- a/mysql-test/include/default_mysqld.cnf +++ b/mysql-test/include/default_mysqld.cnf @@ -45,6 +45,8 @@ loose-feedback-debug-startup-interval=20 loose-feedback-debug-first-interval=60 loose-feedback-debug-interval=60 +loose-pam-debug + loose-innodb_data_file_path= ibdata1:12M:autoextend loose-innodb_buffer_pool_size= 8M loose-innodb_lru_scan_depth= 100 diff --git a/mysql-test/suite/plugins/r/pam_cleartext.result b/mysql-test/suite/plugins/r/pam_cleartext.result index 00e0e94618e..3b7aada16b2 100644 --- a/mysql-test/suite/plugins/r/pam_cleartext.result +++ b/mysql-test/suite/plugins/r/pam_cleartext.result @@ -2,7 +2,7 @@ install plugin pam soname 'auth_pam.so'; create user test_pam identified via pam using 'mariadb_mtr'; create user pam_test; grant proxy on pam_test to test_pam; -show variables like 'pam%'; +show variables like 'pam_use_%'; Variable_name Value pam_use_cleartext_plugin ON drop user test_pam; diff --git a/mysql-test/suite/plugins/t/pam_cleartext.test b/mysql-test/suite/plugins/t/pam_cleartext.test index 6b9bf087ce5..aade924c43e 100644 --- a/mysql-test/suite/plugins/t/pam_cleartext.test +++ b/mysql-test/suite/plugins/t/pam_cleartext.test @@ -1,7 +1,7 @@ --source pam_init.inc -show variables like 'pam%'; +show variables like 'pam_use_%'; --error 1 --exec echo FAIL | $MYSQL_TEST -u test_pam --plugin-dir=$plugindir diff --git a/plugin/auth_pam/auth_pam.c b/plugin/auth_pam/auth_pam.c index 3e3462d3ba0..ac1b3b2da09 100644 --- a/plugin/auth_pam/auth_pam.c +++ b/plugin/auth_pam/auth_pam.c @@ -17,6 +17,7 @@ #define _GNU_SOURCE 1 /* for strndup */ #include <mysql/plugin_auth.h> +#include <stdio.h> #include <string.h> #include <security/pam_appl.h> #include <security/pam_modules.h> @@ -44,6 +45,13 @@ char *strndup(const char *from, size_t length) } #endif +#ifndef DBUG_OFF +static char pam_debug = 0; +#define PAM_DEBUG(X) do { if (pam_debug) { fprintf X; } } while(0) +#else +#define PAM_DEBUG(X) /* no-op */ +#endif + static int conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) { @@ -91,12 +99,17 @@ static int conv(int n, const struct pam_message **msg, 4 means "password-like input, echo disabled" C'est la vie. */ param->buf[0] = msg[i]->msg_style == PAM_PROMPT_ECHO_ON ? 2 : 4; + PAM_DEBUG((stderr, "PAM: conv: send(%.*s)\n", (int)(param->ptr - param->buf - 1), param->buf)); if (param->vio->write_packet(param->vio, param->buf, param->ptr - param->buf - 1)) return PAM_CONV_ERR; pkt_len = param->vio->read_packet(param->vio, &pkt); if (pkt_len < 0) + { + PAM_DEBUG((stderr, "PAM: conv: recv() ERROR\n")); return PAM_CONV_ERR; + } + PAM_DEBUG((stderr, "PAM: conv: recv(%.*s)\n", pkt_len, pkt)); /* allocate and copy the reply to the response array */ if (!((*resp)[i].resp= strndup((char*) pkt, pkt_len))) return PAM_CONV_ERR; @@ -134,9 +147,16 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) param.ptr = param.buf + 1; param.vio = vio; + PAM_DEBUG((stderr, "PAM: pam_start(%s, %s)\n", service, info->user_name)); DO( pam_start(service, info->user_name, &pam_start_arg, &pamh) ); + + PAM_DEBUG((stderr, "PAM: pam_authenticate(0)\n")); DO( pam_authenticate (pamh, 0) ); + + PAM_DEBUG((stderr, "PAM: pam_acct_mgmt(0)\n")); DO( pam_acct_mgmt(pamh, 0) ); + + PAM_DEBUG((stderr, "PAM: pam_get_item(PAM_USER)\n")); DO( pam_get_item(pamh, PAM_USER, (pam_get_item_3_arg) &new_username) ); if (new_username && strcmp(new_username, info->user_name)) @@ -145,6 +165,7 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) end: pam_end(pamh, status); + PAM_DEBUG((stderr, "PAM: status = %d user = %s\n", status, new_username)); return status == PAM_SUCCESS ? CR_OK : CR_ERROR; } @@ -163,8 +184,17 @@ static MYSQL_SYSVAR_BOOL(use_cleartext_plugin, use_cleartext_plugin, "supports simple PAM policies that don't require anything besides " "a password", NULL, NULL, 0); +#ifndef DBUG_OFF +static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG, + "Log all PAM activity", NULL, NULL, 0); +#endif + + static struct st_mysql_sys_var* vars[] = { MYSQL_SYSVAR(use_cleartext_plugin), +#ifndef DBUG_OFF + MYSQL_SYSVAR(debug), +#endif NULL }; |