MDEV-19878 pam v2: pam password authentication doesn't work at all

* wait() for the child process to die, let it rest in peace
* fix incorrect parentheses
* if there was no password on the command line or in .cnf file,
  pkt will be "", and we need to request the user to enter the password
* make sure that auth->salt is always allocated on a permanent memroot.
  when called from set_user_salt_if_needed(), user_copy and its auth_str
  are on the thd memroot, but auth_copy->salt is then copied to auth->salt
* adjust service files so that systemd wouldn't interfere with our
  setuid executables

also
* print the pam error message in debug mode

1 files changed, 12 insertions, 3 deletions

diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index 8d43b6db428..c31e883000d 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -43,7 +43,7 @@ PrivateNetwork=false
 User=mysql
 Group=mysql
 
-# To allow memlock to be used as non-root user if set in configuration
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
 CapabilityBoundingSet=CAP_IPC_LOCK
 
 # Prevent writes to /usr, /boot, and /etc
@@ -52,8 +52,6 @@ ProtectSystem=full
 # Doesn't yet work properly with SELinux enabled
 # NoNewPrivileges=true
 
-PrivateDevices=true
-
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
 
@@ -99,6 +97,17 @@ RestartSec=5s
 UMask=007
 
 ##############################################################################
+## PAM plugin section
+#
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE Needed on Debian for whatever reason
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
+PrivateDevices=false
+
+##############################################################################
 ## USERs can override
 ##
 ##