I'm sure the behavior I'm seeing here is by design so this is really more of a usage question, and whether there are any workarounds.
It seems that using google-authenticator-libpam does not work if the calling process is unprivileged and/or lacks CAP_SETUID/CAP_SETGID because the PAM module attempts to setuid/setgid to the user it is trying to authenticate in order to read $HOME/.google_authenticator
We are attempting to use this module with MySQL for multi-factor authentication. Our PAM config is very simple:
With this setup, we get the following in /var/log/secure:
Aug 29 10:49:45 mfa mysql(pam_google_authenticator)[2941]: Failed to change user id to "<sanitized>"
An strace of mysqld while attempting to authenticate revealed that we are getting EPERM on setresgid(), for example:
Adding cap_setgid and cap_setuid on the mysqld executable allows us to work around this problem, but is only slightly less evil than running mysqld as root, which also works.
My estimation is that setresgid is being called because $HOME/.google_authenticator should be owned by the authenticating user and have mode 0600. However, this means that any process using this PAM module needs cap_setuid/cap_setgid.
A possible solution would be to allow the mysql group read access to $HOME/.google_authenticator so setuid/setgid is unnecessary. Is there a way to achieve this, or another workaround to allow unprivileged processes to use the module?
ThomasHabets
commented
7 years ago
I'm sure the behavior I'm seeing here is by design so this is really more of a usage question, and whether there are any workarounds.
It seems that using google-authenticator-libpam does not work if the calling process is unprivileged and/or lacks CAP_SETUID/CAP_SETGID because the PAM module attempts to setuid/setgid to the user it is trying to authenticate in order to read $HOME/.google_authenticator
We are attempting to use this module with MySQL for multi-factor authentication. Our PAM config is very simple:
With this setup, we get the following in /var/log/secure:
Aug 29 10:49:45 mfa mysql(pam_google_authenticator)[2941]: Failed to change user id to "<sanitized>"An strace of mysqld while attempting to authenticate revealed that we are getting EPERM on setresgid(), for example:
Adding cap_setgid and cap_setuid on the mysqld executable allows us to work around this problem, but is only slightly less evil than running mysqld as root, which also works.
My estimation is that setresgid is being called because $HOME/.google_authenticator should be owned by the authenticating user and have mode 0600. However, this means that any process using this PAM module needs cap_setuid/cap_setgid.
A possible solution would be to allow the mysql group read access to $HOME/.google_authenticator so setuid/setgid is unnecessary. Is there a way to achieve this, or another workaround to allow unprivileged processes to use the module?