Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

MDEV-36229: Remove CAP_DAC_OVERRIDE CAP_AUDIT_WRITE from AmbientCapabilities #3873

Open
wants to merge 1 commit into
base: 10.5
Choose a base branch
from
Open

MDEV-36229: Remove CAP_DAC_OVERRIDE CAP_AUDIT_WRITE from AmbientCapabilities #3873

wants to merge 1 commit into from
+8 −2

Conversation

grooverdan
Copy link
Member

…ilities

  • The Jira issue number for this PR is: MDEV-36229

Description

In resolving MDEV-33301 (76a2715) we moved all the capabilities from CapabilityBoundingSet to AmbientCapabilities where only add/moving CAP_IPC_LOCK was intended.

The effect of this is the defaulting running MariaDB HAS the capability CAP_DAC_OVERRIDE CAP_AUDIT_WRITE allowing it to access any file, even while running as a non-root user.

Resolve this by making CAP_IPC_LOCK apply to AmbientCapabilities and leave the remaining CAP_DAC_OVERRIDE CAP_AUDIT_WRITE to CapabilityBoundingSet for the use by auth_pam_tool.

Release Notes

SECURITY: Correct mistake in previous release where systemd MariaDB services had capabilities CAP_DAC_OVERRIDE CAP_AUDIT_WRITE by default allowing arbitrary file access .

How can this PR be tested?

chown -R root:root /var/lib/mysql
chmod ugo-rwX
systemctl start mariadb.service

And it should fail.

If the changes are not amenable to automated testing, please explain why not and carefully describe how to test manually.

Basing the PR against the correct MariaDB version

  • This is a new feature or a refactoring, and the PR is based against the main branch.
  • This is a big and important bug fix, and the PR is based against the earliest maintained branch in which the bug can be reproduced.

PR quality check

  • I checked the CODING_STANDARDS.md file and my PR conforms to this where appropriate.
  • For any trivial modifications to the PR, I am ok with the reviewer making the changes themselves.

@grooverdan
MDEV-36229: Remove CAP_DAC_OVERRIDE CAP_AUDIT_WRITE from AmbientCapab…
69d1752 
…ilities

In resolving MDEV-33301 (76a2715) we
moved all the capabilities from CapabilityBoundingSet to AmbientCapabilities
where only add/moving CAP_IPC_LOCK was intended.

The effect of this is the defaulting running MariaDB HAS the capabiltiy
CAP_DAC_OVERRIDE CAP_AUDIT_WRITE allowing it to access any file,
even while running as a non-root user.

Resolve this by making CAP_IPC_LOCK apply to AmbientCapabilities and
leave the remaining CAP_DAC_OVERRIDE CAP_AUDIT_WRITE to CapabilityBoundingSet
for the use by auth_pam_tool.
@grooverdan grooverdan added the MariaDB Foundation Pull requests created by MariaDB Foundation label Mar 6, 2025
@grooverdan grooverdan requested a review from vuvova March 6, 2025 04:38
@cvicentiu cvicentiu self-requested a review March 6, 2025 07:36
@eworm-de
Copy link
Contributor

eworm-de commented Mar 6, 2025

Waiting for this to be merged, I will push new Arch packages with this cherry-picked then.

Is it considered important enough for another round of point releases?

desdic
desdic reviewed Mar 6, 2025
View reviewed changes
support-files/mariadb.service.in
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
# does nothing for non-root, not needed if /etc/shadow is u+r
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
AmbientCapabilities=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
Copy link

@desdic desdic Mar 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't think you need this .. I changed mine to only have

AmbientCapabilities=CAP_IPC_LOCK and this seems to work

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per above comments in file these are only for the pam integration of MariaDB.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During an execve(2), the capability bounding set is ANDed with the file permitted capability set

what is the "file permitted capability set" for auth_pam_tool ?

@ottok
Copy link
Contributor

ottok commented Mar 11, 2025

Do you plan to revert/change the debian/mariadb-server-core.postinst change in 8a1904d?

@grooverdan
Copy link
Member Author

Do you plan to revert/change the debian/mariadb-server-core.postinst change in 8a1904d?

it was reverted in ee2ed1a

@ottok
Copy link
Contributor

ottok commented Mar 13, 2025

This is pending being included for the Ubuntu 24.10 upload at https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/109

ottok added a commit to ottok/mariadb that referenced this pull request Mar 20, 2025
@ottok
Revert "Set CAP_IPC_LOCK capability if possible"
c39d16c 
This reverts commit 497fa1f.

Upstream reverted this in ee2ed1a and the change is pending rework at
MariaDB#3873
ottok added a commit to ottok/mariadb that referenced this pull request Mar 21, 2025
@ottok
Revert "Set CAP_IPC_LOCK capability if possible"
3715013 
This reverts commit 3cdd8be.

Upstream reverted this in ee2ed1a and the change is pending rework at
MariaDB#3873
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@desdic desdic desdic left review comments

@vuvova vuvova Awaiting requested review from vuvova

@cvicentiu cvicentiu Awaiting requested review from cvicentiu

Assignees

@vuvova vuvova

Labels
MariaDB Foundation Pull requests created by MariaDB Foundation
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@grooverdan @eworm-de @ottok @vuvova @desdic