MDEV-27341 Use SET PASSWORD to change PAM service

vuvova · vuvova · commit 7b555ff2c5cd · 2022-01-17T18:19:29.000+01:00
SET PASSWORD = PASSWORD('foo') would fail for pam plugin with

ERROR HY000: SET PASSWORD is ignored for users authenticating via pam plugin

but SET PASSWORD = 'foo' would not.

Now it will.
diff --git a/include/mysql/plugin_auth.h b/include/mysql/plugin_auth.h
@@ -147,7 +147,8 @@ struct st_mysql_auth
 
     @return 0 for ok, 1 for error
 
-    Can be NULL.
+    Can be NULL, in this case one will not be able to use SET PASSWORD or
+    PASSWORD('...') in GRANT, CREATE USER, ALTER USER.
   */
   int (*hash_password)(const char *password, size_t password_length,
                        char *hash, size_t *hash_length);
diff --git a/mysql-test/suite/plugins/r/pam.result b/mysql-test/suite/plugins/r/pam.result
@@ -91,4 +91,21 @@ select user(), current_user(), database();
 user()	current_user()	database()
 PAM_TEST@localhost	PAM_TEST@%	test
 drop user PAM_TEST;
+#
+# MDEV-27341 Use SET PASSWORD to change PAM service
+#
+create user pam_test identified via pam using 'mariadb_mtr';
+Challenge input first.
+Enter: *************************
+Now, the magic number!
+PIN: 9225
+select user(), current_user(), database();
+user()	current_user()	database()
+pam_test@localhost	pam_test@%	test
+set password='foo';
+ERROR HY000: SET PASSWORD is ignored for users authenticating via pam plugin
+show create user;
+CREATE USER for pam_test@%
+CREATE USER `pam_test`@`%` IDENTIFIED VIA pam USING 'mariadb_mtr'
+drop user pam_test;
 uninstall plugin pam;
diff --git a/mysql-test/suite/plugins/t/pam.test b/mysql-test/suite/plugins/t/pam.test
@@ -45,7 +45,6 @@ EOF
 --echo #
 --echo # athentication is successful
 --echo #
---error 0
 --exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
 
 --echo #
@@ -106,6 +105,22 @@ set global pam_winbind_workaround=1;
 --remove_file $MYSQLTEST_VARDIR/tmp/pam_ugly.txt
 drop user PAM_TEST;
 
+--echo #
+--echo # MDEV-27341 Use SET PASSWORD to change PAM service
+--echo #
+create user pam_test identified via pam using 'mariadb_mtr';
+--write_file $MYSQLTEST_VARDIR/tmp/setpwd.txt
+not very secret challenge
+9225
+select user(), current_user(), database();
+error ER_SET_PASSWORD_AUTH_PLUGIN;
+set password='foo';
+show create user;
+EOF
+--exec $MYSQL_TEST -u pam_test < $MYSQLTEST_VARDIR/tmp/setpwd.txt
+--remove_file $MYSQLTEST_VARDIR/tmp/setpwd.txt
+drop user pam_test;
+
 let $count_sessions= 1;
 --source include/wait_until_count_sessions.inc
 uninstall plugin pam;
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -2135,6 +2135,12 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user,
     goto end;
   }
 
+  if (thd->lex->sql_command == SQLCOM_SET_OPTION && !info->hash_password)
+  {
+    res= ER_SET_PASSWORD_AUTH_PLUGIN;
+    goto end;
+  }
+
   if (info->hash_password &&
       validate_password(thd, user, pwtext, auth->auth_string.length))
   {

Original file line number	Diff line number	Diff line change
`@@ -2135,6 +2135,12 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user,`
`2135`	`2135`	`goto end;`
`2136`	`2136`	`}`
`2137`	`2137`
	`2138`	`+ if (thd->lex->sql_command == SQLCOM_SET_OPTION && !info->hash_password)`
	`2139`	`+ {`
	`2140`	`+ res= ER_SET_PASSWORD_AUTH_PLUGIN;`
	`2141`	`+ goto end;`
	`2142`	`+ }`
	`2143`	`+`
`2138`	`2144`	`if (info->hash_password &&`
`2139`	`2145`	`validate_password(thd, user, pwtext, auth->auth_string.length))`
`2140`	`2146`	`{`