diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:00:34 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:00:34 +0000 |
| commit | 3f619478f796eddbba6e39502fe941b285dd97b1 (patch) | |
| tree | e2c7b5777f728320e5b5542b6213fd3591ba51e2 /plugin/cracklib_password_check | |
| parent | Initial commit. (diff) | |
| download | mariadb-upstream.tar.xz mariadb-upstream.zip | |
Adding upstream version 1:10.11.6.upstream/1%10.11.6upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'plugin/cracklib_password_check')
4 files changed, 155 insertions, 0 deletions
diff --git a/plugin/cracklib_password_check/CMakeLists.txt b/plugin/cracklib_password_check/CMakeLists.txt new file mode 100644 index 00000000..79b3b80f --- /dev/null +++ b/plugin/cracklib_password_check/CMakeLists.txt @@ -0,0 +1,48 @@ + +IF(PLUGIN_CRACKLIB_PASSWORD_CHECK STREQUAL "NO") + ADD_FEATURE_INFO(CRACKLIB_PASSWORD_CHECK "OFF" "CrackLib Password Validation Plugin") + RETURN() +ENDIF() + +INCLUDE (CheckIncludeFiles) +INCLUDE (CheckLibraryExists) + +SET(CPACK_RPM_cracklib-password-check_PACKAGE_SUMMARY "CrackLib Password Validation Plugin for MariaDB server" PARENT_SCOPE) +SET(CPACK_RPM_cracklib-password-check_PACKAGE_DESCRIPTION "This password validation plugin uses cracklib to allow only +sufficiently secure (as defined by cracklib) user passwords in MariaDB server." PARENT_SCOPE) + +CHECK_LIBRARY_EXISTS(crack FascistCheckUser "" HAVE_LIBCRACK) + +SET(CMAKE_REQUIRED_DEFINITIONS -Dsize_t=int) # debian hack, debian bug. +CHECK_INCLUDE_FILES (crack.h HAVE_CRACK_H) + +IF (HAVE_ALLOCA_H AND HAVE_CRACK_H AND HAVE_LIBCRACK AND HAVE_MEMCPY) + MYSQL_ADD_PLUGIN(cracklib_password_check cracklib_password_check.c + LINK_LIBRARIES crack MODULE_ONLY + COMPONENT cracklib-password-check) + + IF (RPM) + SET(inst_location ${INSTALL_SUPPORTFILESDIR}) + INSTALL(DIRECTORY policy DESTINATION ${inst_location} COMPONENT cracklib-password-check) + FIND_PROGRAM(CHECKMODULE checkmodule) + FIND_PROGRAM(SEMODULE_PACKAGE semodule_package) + MARK_AS_ADVANCED(CHECKMODULE SEMODULE_PACKAGE) + + # Build pp files in policy/selinux + IF(CHECKMODULE AND SEMODULE_PACKAGE) + FOREACH(pol mariadb-plugin-cracklib-password-check) + SET(src ${CMAKE_CURRENT_SOURCE_DIR}/policy/selinux/${pol}.te) + SET(tmp ${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${pol}-pp.dir/${pol}.mod) + SET(out ${CMAKE_CURRENT_BINARY_DIR}/${pol}.pp) + ADD_CUSTOM_COMMAND(OUTPUT ${out} + COMMAND ${CHECKMODULE} -M -m ${src} -o ${tmp} + COMMAND ${SEMODULE_PACKAGE} -m ${tmp} -o ${out} + DEPENDS ${src}) + ADD_CUSTOM_TARGET(${pol}-pp ALL DEPENDS ${out}) + INSTALL(FILES ${out} DESTINATION ${inst_location}/policy/selinux COMPONENT cracklib-password-check) + ENDFOREACH() + ENDIF() + + ENDIF() + +ENDIF() diff --git a/plugin/cracklib_password_check/cracklib_password_check.c b/plugin/cracklib_password_check/cracklib_password_check.c new file mode 100644 index 00000000..1aaf6ba0 --- /dev/null +++ b/plugin/cracklib_password_check/cracklib_password_check.c @@ -0,0 +1,86 @@ +/* Copyright (c) 2014, Sergei Golubchik and MariaDB + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */ + +#include <my_alloca.h> +#include <mysql/plugin_password_validation.h> +#include <crack.h> +#include <string.h> +#include <mysqld_error.h> + +static char *dictionary; + +static int crackme(const MYSQL_CONST_LEX_STRING *username, + const MYSQL_CONST_LEX_STRING *password, + const MYSQL_CONST_LEX_STRING *hostname) +{ + char *user= alloca(username->length + 1); + char *full_name= alloca(hostname->length + username->length + 2); + const char *res; + + memcpy(user, username->str, username->length); + user[username->length]= 0; + memcpy(full_name, username->str, username->length); + full_name[username->length]= '@'; + memcpy(full_name + username->length + 1, hostname->str, hostname->length); + full_name[hostname->length+ username->length + 1]= 0; + + if ((res= FascistCheckUser(password->str, dictionary, user, full_name))) + { + my_printf_error(ER_NOT_VALID_PASSWORD, "cracklib: %s", + ME_WARNING, res); + return 1; + } + + return 0; +} + +static MYSQL_SYSVAR_STR(dictionary, dictionary, PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY, + "Path to a cracklib dictionary", NULL, NULL, 0); + +/* optional user-friendly nicety */ +void set_default_dictionary_path() __attribute__((constructor)); +void set_default_dictionary_path() +{ + MYSQL_SYSVAR_NAME(dictionary).def_val = GetDefaultCracklibDict(); +} + +static struct st_mysql_sys_var* sysvars[]= { + MYSQL_SYSVAR(dictionary), + NULL +}; + +static struct st_mariadb_password_validation info= +{ + MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION, + crackme +}; + +maria_declare_plugin(cracklib_password_check) +{ + MariaDB_PASSWORD_VALIDATION_PLUGIN, + &info, + "cracklib_password_check", + "Sergei Golubchik", + "Password validation via CrackLib", + PLUGIN_LICENSE_GPL, + NULL, + NULL, + 0x0100, + NULL, + sysvars, + "1.0", + MariaDB_PLUGIN_MATURITY_STABLE +} +maria_declare_plugin_end; diff --git a/plugin/cracklib_password_check/policy/selinux/mariadb-plugin-cracklib-password-check.te b/plugin/cracklib_password_check/policy/selinux/mariadb-plugin-cracklib-password-check.te new file mode 100644 index 00000000..a352f206 --- /dev/null +++ b/plugin/cracklib_password_check/policy/selinux/mariadb-plugin-cracklib-password-check.te @@ -0,0 +1,13 @@ + +module mariadb-plugin-cracklib-password-check 1.0; + +require { + type mysqld_t; + type crack_db_t; + class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink }; + class dir { write search getattr add_name read remove_name open }; +} + +allow mysqld_t crack_db_t:dir { search read open }; +allow mysqld_t crack_db_t:file { getattr read open }; + diff --git a/plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh b/plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh new file mode 100644 index 00000000..43315503 --- /dev/null +++ b/plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh @@ -0,0 +1,8 @@ +SETARGETDIR=/etc/selinux/targeted/src/policy +SEDOMPROG=$SETARGETDIR/domains/program +SECONPROG=$SETARGETDIR/file_contexts/program + +if [ -x /usr/sbin/semodule ] ; then + /usr/sbin/semodule -i /usr/share/mysql/policy/selinux/mariadb-plugin-cracklib-password-check.pp +fi + |