From dc6bc85cd29586631d927036451d955c7013206c Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Tue, 24 Aug 2021 11:03:02 +0200 Subject: MDEV-26380 auth_pam_tool has incorrect permissions on CentOS 7 Buggy sepdebugcrcfix in CentOS 7 (rpm-4.11.3) does not restore SUID bit after editing the binary. This is fixed in rpm-4.12. Still let's not set SUID bit when installing auth_pam_tool and use rpm spec %attr directive instead. --- plugin/auth_pam/CMakeLists.txt | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt index 8d11d174f90..5b2ca3c708a 100644 --- a/plugin/auth_pam/CMakeLists.txt +++ b/plugin/auth_pam/CMakeLists.txt @@ -38,11 +38,10 @@ IF(HAVE_PAM_APPL_H AND HAVE_GETGROUPLIST) IF (TARGET auth_pam) MYSQL_ADD_EXECUTABLE(auth_pam_tool auth_pam_tool.c DESTINATION ${INSTALL_PLUGINDIR}/auth_pam_tool_dir COMPONENT Server) TARGET_LINK_LIBRARIES(auth_pam_tool pam) - INSTALL(CODE "EXECUTE_PROCESS( - COMMAND chmod u=rwx,g=,o= auth_pam_tool_dir - COMMAND chmod u=rwxs,g=rx,o=rx auth_pam_tool_dir/auth_pam_tool - WORKING_DIRECTORY \$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${INSTALL_PLUGINDIR}/)" - COMPONENT Server) + SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} + "%attr(700, -, -) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir" + "%attr(4755, -, -) ${INSTALL_PLUGINDIRABS}/auth_pam_tool_dir/auth_pam_tool") + SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} PARENT_SCOPE) ENDIF() IF(TARGET auth_pam OR TARGET auth_pam_v1) ADD_SUBDIRECTORY(testing) @@ -52,7 +51,7 @@ IF(HAVE_PAM_APPL_H AND HAVE_GETGROUPLIST) IF(INSTALL_PAMDIR) INSTALL(TARGETS pam_user_map DESTINATION ${INSTALL_PAMDIR} COMPONENT Server) INSTALL(FILES mapper/user_map.conf DESTINATION ${INSTALL_PAMDATADIR} COMPONENT Server) - SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} "%config(noreplace) ${INSTALL_PAMDATADIR}/*" PARENT_SCOPE) + SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} "%config(noreplace) ${INSTALL_PAMDATADIRABS}/*" PARENT_SCOPE) ENDIF() ENDIF() ENDIF() -- cgit v1.2.1