summaryrefslogtreecommitdiffstats
path: root/plugin/cracklib_password_check
diff options
context:
space:
mode:
Diffstat (limited to 'plugin/cracklib_password_check')
-rw-r--r--plugin/cracklib_password_check/CMakeLists.txt48
-rw-r--r--plugin/cracklib_password_check/cracklib_password_check.c86
-rw-r--r--plugin/cracklib_password_check/policy/selinux/mariadb-plugin-cracklib-password-check.te13
-rw-r--r--plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh8
4 files changed, 155 insertions, 0 deletions
diff --git a/plugin/cracklib_password_check/CMakeLists.txt b/plugin/cracklib_password_check/CMakeLists.txt
new file mode 100644
index 00000000..79b3b80f
--- /dev/null
+++ b/plugin/cracklib_password_check/CMakeLists.txt
@@ -0,0 +1,48 @@
+
+IF(PLUGIN_CRACKLIB_PASSWORD_CHECK STREQUAL "NO")
+ ADD_FEATURE_INFO(CRACKLIB_PASSWORD_CHECK "OFF" "CrackLib Password Validation Plugin")
+ RETURN()
+ENDIF()
+
+INCLUDE (CheckIncludeFiles)
+INCLUDE (CheckLibraryExists)
+
+SET(CPACK_RPM_cracklib-password-check_PACKAGE_SUMMARY "CrackLib Password Validation Plugin for MariaDB server" PARENT_SCOPE)
+SET(CPACK_RPM_cracklib-password-check_PACKAGE_DESCRIPTION "This password validation plugin uses cracklib to allow only
+sufficiently secure (as defined by cracklib) user passwords in MariaDB server." PARENT_SCOPE)
+
+CHECK_LIBRARY_EXISTS(crack FascistCheckUser "" HAVE_LIBCRACK)
+
+SET(CMAKE_REQUIRED_DEFINITIONS -Dsize_t=int) # debian hack, debian bug.
+CHECK_INCLUDE_FILES (crack.h HAVE_CRACK_H)
+
+IF (HAVE_ALLOCA_H AND HAVE_CRACK_H AND HAVE_LIBCRACK AND HAVE_MEMCPY)
+ MYSQL_ADD_PLUGIN(cracklib_password_check cracklib_password_check.c
+ LINK_LIBRARIES crack MODULE_ONLY
+ COMPONENT cracklib-password-check)
+
+ IF (RPM)
+ SET(inst_location ${INSTALL_SUPPORTFILESDIR})
+ INSTALL(DIRECTORY policy DESTINATION ${inst_location} COMPONENT cracklib-password-check)
+ FIND_PROGRAM(CHECKMODULE checkmodule)
+ FIND_PROGRAM(SEMODULE_PACKAGE semodule_package)
+ MARK_AS_ADVANCED(CHECKMODULE SEMODULE_PACKAGE)
+
+ # Build pp files in policy/selinux
+ IF(CHECKMODULE AND SEMODULE_PACKAGE)
+ FOREACH(pol mariadb-plugin-cracklib-password-check)
+ SET(src ${CMAKE_CURRENT_SOURCE_DIR}/policy/selinux/${pol}.te)
+ SET(tmp ${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${pol}-pp.dir/${pol}.mod)
+ SET(out ${CMAKE_CURRENT_BINARY_DIR}/${pol}.pp)
+ ADD_CUSTOM_COMMAND(OUTPUT ${out}
+ COMMAND ${CHECKMODULE} -M -m ${src} -o ${tmp}
+ COMMAND ${SEMODULE_PACKAGE} -m ${tmp} -o ${out}
+ DEPENDS ${src})
+ ADD_CUSTOM_TARGET(${pol}-pp ALL DEPENDS ${out})
+ INSTALL(FILES ${out} DESTINATION ${inst_location}/policy/selinux COMPONENT cracklib-password-check)
+ ENDFOREACH()
+ ENDIF()
+
+ ENDIF()
+
+ENDIF()
diff --git a/plugin/cracklib_password_check/cracklib_password_check.c b/plugin/cracklib_password_check/cracklib_password_check.c
new file mode 100644
index 00000000..1aaf6ba0
--- /dev/null
+++ b/plugin/cracklib_password_check/cracklib_password_check.c
@@ -0,0 +1,86 @@
+/* Copyright (c) 2014, Sergei Golubchik and MariaDB
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
+
+#include <my_alloca.h>
+#include <mysql/plugin_password_validation.h>
+#include <crack.h>
+#include <string.h>
+#include <mysqld_error.h>
+
+static char *dictionary;
+
+static int crackme(const MYSQL_CONST_LEX_STRING *username,
+ const MYSQL_CONST_LEX_STRING *password,
+ const MYSQL_CONST_LEX_STRING *hostname)
+{
+ char *user= alloca(username->length + 1);
+ char *full_name= alloca(hostname->length + username->length + 2);
+ const char *res;
+
+ memcpy(user, username->str, username->length);
+ user[username->length]= 0;
+ memcpy(full_name, username->str, username->length);
+ full_name[username->length]= '@';
+ memcpy(full_name + username->length + 1, hostname->str, hostname->length);
+ full_name[hostname->length+ username->length + 1]= 0;
+
+ if ((res= FascistCheckUser(password->str, dictionary, user, full_name)))
+ {
+ my_printf_error(ER_NOT_VALID_PASSWORD, "cracklib: %s",
+ ME_WARNING, res);
+ return 1;
+ }
+
+ return 0;
+}
+
+static MYSQL_SYSVAR_STR(dictionary, dictionary, PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
+ "Path to a cracklib dictionary", NULL, NULL, 0);
+
+/* optional user-friendly nicety */
+void set_default_dictionary_path() __attribute__((constructor));
+void set_default_dictionary_path()
+{
+ MYSQL_SYSVAR_NAME(dictionary).def_val = GetDefaultCracklibDict();
+}
+
+static struct st_mysql_sys_var* sysvars[]= {
+ MYSQL_SYSVAR(dictionary),
+ NULL
+};
+
+static struct st_mariadb_password_validation info=
+{
+ MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION,
+ crackme
+};
+
+maria_declare_plugin(cracklib_password_check)
+{
+ MariaDB_PASSWORD_VALIDATION_PLUGIN,
+ &info,
+ "cracklib_password_check",
+ "Sergei Golubchik",
+ "Password validation via CrackLib",
+ PLUGIN_LICENSE_GPL,
+ NULL,
+ NULL,
+ 0x0100,
+ NULL,
+ sysvars,
+ "1.0",
+ MariaDB_PLUGIN_MATURITY_STABLE
+}
+maria_declare_plugin_end;
diff --git a/plugin/cracklib_password_check/policy/selinux/mariadb-plugin-cracklib-password-check.te b/plugin/cracklib_password_check/policy/selinux/mariadb-plugin-cracklib-password-check.te
new file mode 100644
index 00000000..a352f206
--- /dev/null
+++ b/plugin/cracklib_password_check/policy/selinux/mariadb-plugin-cracklib-password-check.te
@@ -0,0 +1,13 @@
+
+module mariadb-plugin-cracklib-password-check 1.0;
+
+require {
+ type mysqld_t;
+ type crack_db_t;
+ class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
+ class dir { write search getattr add_name read remove_name open };
+}
+
+allow mysqld_t crack_db_t:dir { search read open };
+allow mysqld_t crack_db_t:file { getattr read open };
+
diff --git a/plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh b/plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh
new file mode 100644
index 00000000..43315503
--- /dev/null
+++ b/plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh
@@ -0,0 +1,8 @@
+SETARGETDIR=/etc/selinux/targeted/src/policy
+SEDOMPROG=$SETARGETDIR/domains/program
+SECONPROG=$SETARGETDIR/file_contexts/program
+
+if [ -x /usr/sbin/semodule ] ; then
+ /usr/sbin/semodule -i /usr/share/mysql/policy/selinux/mariadb-plugin-cracklib-password-check.pp
+fi
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-04 22:15:12 +0000