From 961dd16ae888db28436f9034dded0e21bd9cff11ea3be7821fff749fd8d6f93a Mon Sep 17 00:00:00 2001
From: Kristyna Streitova <kstreitova@suse.com>
Date: Tue, 4 Feb 2020 14:05:21 +0000
Subject: [PATCH] Accepting request 769982 from
 home:kstreitova:branches:server:database

OBS-URL: https://build.opensuse.org/request/show/769982
OBS-URL: https://build.opensuse.org/package/show/server:database/mariadb?expand=0&rev=242
---
 _constraints                         |   2 +-
 mariadb-10.2.4-fortify-and-O.patch   |  16 ++--
 mariadb-10.3.20.tar.gz               |   3 -
 mariadb-10.3.20.tar.gz.sig           |   6 --
 mariadb-10.4.12-fix-install-db.patch |  37 ++++++++++
 mariadb-10.4.12-harden_setuid.patch  |  21 ++++++
 mariadb-10.4.12.tar.gz               |   3 +
 mariadb-10.4.12.tar.gz.sig           |   6 ++
 mariadb.changes                      |  67 +++++++++++++++++
 mariadb.rpmlintrc                    |  21 ++++++
 mariadb.service                      |  44 +++++++++--
 mariadb.spec                         | 106 ++++++++++++++++++++-------
 mariadb@.service                     |  44 +++++++++--
 mysql-systemd-helper                 |  21 +++---
 suse_skipped_tests.list              |  24 ++++--
 15 files changed, 348 insertions(+), 73 deletions(-)
 delete mode 100644 mariadb-10.3.20.tar.gz
 delete mode 100644 mariadb-10.3.20.tar.gz.sig
 create mode 100644 mariadb-10.4.12-fix-install-db.patch
 create mode 100644 mariadb-10.4.12-harden_setuid.patch
 create mode 100644 mariadb-10.4.12.tar.gz
 create mode 100644 mariadb-10.4.12.tar.gz.sig
 create mode 100644 mariadb.rpmlintrc

diff --git a/_constraints b/_constraints
index 4e330b3..75565a5 100644
--- a/_constraints
+++ b/_constraints
@@ -7,7 +7,7 @@
     </conditions>
     <hardware>
       <physicalmemory>
-        <size unit="G">6</size>
+        <size unit="G">10</size>
       </physicalmemory>
       <memory>
         <size unit="G">10</size>
diff --git a/mariadb-10.2.4-fortify-and-O.patch b/mariadb-10.2.4-fortify-and-O.patch
index 0f3b768..94cf9b1 100644
--- a/mariadb-10.2.4-fortify-and-O.patch
+++ b/mariadb-10.2.4-fortify-and-O.patch
@@ -9,14 +9,14 @@ Index: CMakeLists.txt
 ===================================================================
 --- CMakeLists.txt.orig
 +++ CMakeLists.txt
-@@ -236,7 +236,6 @@ IF(NOT WITH_TSAN)
-     MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC")
-     MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")
-     MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector --param=ssp-buffer-size=4")
--    MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE RELWITHDEBINFO)
-   ENDIF()
+@@ -238,7 +238,6 @@ IF(SECURITY_HARDENED AND NOT WITH_ASAN A
+   MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC")
+   MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")
+   MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector --param=ssp-buffer-size=4")
+-  MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE RELWITHDEBINFO)
  ENDIF()
  
+ INCLUDE(wsrep)
 Index: storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake
 ===================================================================
 --- storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake.orig
@@ -33,7 +33,7 @@ Index: storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake
      )
  endif ()
  
-@@ -103,23 +101,23 @@ set_cflags_if_supported(
+@@ -102,23 +100,23 @@ set_cflags_if_supported(
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fexceptions")
  
  ## set extra debugging flags and preprocessor definitions
@@ -65,7 +65,7 @@ Index: storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake
  else ()
    if (APPLE)
      set(FLTO_OPTS "-fwhole-program")
-@@ -127,10 +125,10 @@ else ()
+@@ -126,10 +124,10 @@ else ()
      set(FLTO_OPTS "-fuse-linker-plugin")
    endif()
    # we overwrite this because the default passes -DNDEBUG and we don't want that
diff --git a/mariadb-10.3.20.tar.gz b/mariadb-10.3.20.tar.gz
deleted file mode 100644
index e443724..0000000
--- a/mariadb-10.3.20.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:53818f2d684e060143b4d8293da44c7f09cc676d71959405f84e6dc8affbc492
-size 71990355
diff --git a/mariadb-10.3.20.tar.gz.sig b/mariadb-10.3.20.tar.gz.sig
deleted file mode 100644
index 01ee00a..0000000
--- a/mariadb-10.3.20.tar.gz.sig
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQQZk2nlQEvV/H0v5DvLywgqG7lD2wUCXcRePgAKCRDLywgqG7lD
-28mOAKCeYd/0dzDmJKABZwTzFk5/GmQSGACgq5IBDwvkd5ahataS8kwFiqcI0MQ=
-=Xkld
------END PGP SIGNATURE-----
diff --git a/mariadb-10.4.12-fix-install-db.patch b/mariadb-10.4.12-fix-install-db.patch
new file mode 100644
index 0000000..dcdde18
--- /dev/null
+++ b/mariadb-10.4.12-fix-install-db.patch
@@ -0,0 +1,37 @@
+Index: mariadb-10.4.12/scripts/mysql_install_db.sh
+===================================================================
+--- mariadb-10.4.12.orig/scripts/mysql_install_db.sh
++++ mariadb-10.4.12/scripts/mysql_install_db.sh
+@@ -482,20 +482,22 @@ if test -n "$user"
+ then
+   if test -z "$srcdir" -a "$in_rpm" -eq 0
+   then
+-    chown 0 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool" && \
+-    chmod 04755 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"
+-    if test $? -ne 0
++    tool_ownership=`stat -c "%U:%G" "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"`
++    tool_mode=`stat -c "%a" "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"`
++
++    if test "$tool_ownership" != "root:root" -o "$tool_mode" != "4755"
+     then
+-        echo "Couldn't set an owner to '$pamtooldir/auth_pam_tool_dir/auth_pam_tool'."
+-        echo "It must be root, the PAM authentication plugin doesn't work otherwise.."
++        echo "Permissions/ownership of the '$pamtooldir/auth_pam_tool_dir/auth_pam_tool' file are bad."
++        echo "It must be owned by root:root and have mode 4750."
+         echo
+     fi
+-    chown $user "$pamtooldir/auth_pam_tool_dir" && \
+-    chmod 0700 "$pamtooldir/auth_pam_tool_dir"
+-    if test $? -ne 0
++
++    dir_ownership=`stat -c "%U:%G" "$pamtooldir/auth_pam_tool_dir"`
++    dir_mode=`stat -c "%a" "$pamtooldir/auth_pam_tool_dir"`
++    if test "$dir_ownership" != "root:mysql" -o "$dir_mode" != "750"
+     then
+-        echo "Cannot change ownership of the '$pamtooldir/auth_pam_tool_dir' directory"
+-        echo "to the '$user' user. Check that you have the necessary permissions and try again."
++        echo "Permissions/ownership of the '$pamtooldir/auth_pam_tool_dir' directory are bad."
++        echo "It must be owned by root:mysql and have mode 0750, the PAM authentication plugin doesn't work otherwise.."
+         echo
+     fi
+   fi
diff --git a/mariadb-10.4.12-harden_setuid.patch b/mariadb-10.4.12-harden_setuid.patch
new file mode 100644
index 0000000..ea12170
--- /dev/null
+++ b/mariadb-10.4.12-harden_setuid.patch
@@ -0,0 +1,21 @@
+SUSE specific patch that hardens the auth_pam_tool setuid-root binary.
+Matthias Gerstner wants it as a prerequisite for allowing auth_pam_tool
+setuid-root binary in [bsc#1160285].
+
+Index: mariadb-10.4.12/plugin/auth_pam/auth_pam_base.c
+===================================================================
+--- mariadb-10.4.12.orig/plugin/auth_pam/auth_pam_base.c
++++ mariadb-10.4.12/plugin/auth_pam/auth_pam_base.c
+@@ -149,6 +149,12 @@ static int pam_auth_base(struct param *p
+   const char *service = info->auth_string && info->auth_string[0]
+                           ? info->auth_string : "mysql";
+ 
++  if( strcmp(service, "mysql") != 0 )
++  {
++	  PAM_DEBUG((stderr, "PAM: rejecting non-standard PAM service %s\n", service));
++	  return CR_ERROR;
++  }
++
+   param->ptr = param->buf + 1;
+ 
+   PAM_DEBUG((stderr, "PAM: pam_start(%s, %s)\n", service, info->user_name));
diff --git a/mariadb-10.4.12.tar.gz b/mariadb-10.4.12.tar.gz
new file mode 100644
index 0000000..94f66ae
--- /dev/null
+++ b/mariadb-10.4.12.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fef1e1d38aa253dd8a51006bd15aad184912fce31c446bb69434fcde735aa208
+size 79120835
diff --git a/mariadb-10.4.12.tar.gz.sig b/mariadb-10.4.12.tar.gz.sig
new file mode 100644
index 0000000..06ca906
--- /dev/null
+++ b/mariadb-10.4.12.tar.gz.sig
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQQZk2nlQEvV/H0v5DvLywgqG7lD2wUCXi88fwAKCRDLywgqG7lD
+2yWlAJ0TS/HGlGiixf74yZZ7O7HBmnb9iACfUksIWM66twshntwTSGrE5llBw/g=
+=MmfV
+-----END PGP SIGNATURE-----
diff --git a/mariadb.changes b/mariadb.changes
index 334d2c9..f89c91e 100644
--- a/mariadb.changes
+++ b/mariadb.changes
@@ -1,3 +1,70 @@
+-------------------------------------------------------------------
+Tue Feb  4 10:53:34 UTC 2020 - matthias.gerstner@suse.com
+
+- rename mariadb-10.2.12-harden_setuid.patch to
+  mariadb-10.4.12-harden_setuid.patch to match the correct version number.
+- add mariadb-10.4.12-fix-install-db.patch to improve default behaviour of
+  mysql_install_db. This prevents performing security sensitive actions to
+  be performed but instead only warns the caller (bsc#1160868).
+
+-------------------------------------------------------------------
+Sun Feb  2 21:53:07 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- update to 10.4.12
+  * release notes and changelog:
+    https://mariadb.com/kb/en/library/mariadb-10412-release-notes
+    https://mariadb.com/kb/en/library/mariadb-10412-changelog
+    https://mariadb.com/kb/en/library/mariadb-10411-release-notes
+    https://mariadb.com/kb/en/library/mariadb-10411-changelog
+  * fixes for the following security vulnerabilities:
+    CVE-2020-2574
+  * don't let mysql_install_db set SUID bit for auth_pam_tool
+    in rpm/deb packages CVE-2020-7221 [bsc#1160868]
+- add mariadb-10.2.12-harden_setuid.patch to harden auth_pam_tool
+  setuid-root binary [bsc#1160285]
+- pack pam_user_map.so module in the /%{_lib}/security directory
+  and user_map.conf configuration file in the /etc/security directory
+- fix race condition with mysql_upgrade_info status file by moving
+  it to the location owned by root (/var/lib/misc) CVE-2019-18901
+  [bsc#1160895]
+- move .run-mysql_upgrade file from $datadir/.run-mysql_upgrade
+  to /var/lib/misc/.mariadb_run_upgrade so the mysql user can't
+  use it for a symlink attack [bsc#1160912]
+- change -DWITH_COMMENT and -DCOMPILATION_COMMENT to be
+  SUSE/openSUSE independent
+
+-------------------------------------------------------------------
+Fri Jan 24 17:02:52 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- enhance mariadb.service and mariadb@.service with various options
+  (Documentation=, User=, Group=, KillSignal=, SendSIGKILL=,
+  Restart=, RestartSec=, CapabilityBoundingSet=, ProtectSystem=,
+  ProtectHome=, PermissionsStartOnly= and UMask=) [bsc#1160878] 
+- mysql-systemd-helper: use systemd-tmpfiles instead of shell
+  script operations for a cleaner and safer creating of /run/mysql
+  [bsc#1160883]
+
+-------------------------------------------------------------------
+Fri Jan  3 13:31:34 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- update to 10.4.10
+  * changes and improvements for 10.4
+    https://mariadb.com/kb/en/changes-improvements-in-mariadb-104/
+  * fixes for the following security vulnerabilities: none
+- pack mariadb variants of the mysql binaries (e.g. mariadb-dumpslow
+  is a symlink to mysqldumpslow and the like)
+- refresh mariadb-10.2.4-fortify-and-O.patch
+- update suse_skipped_tests.list
+- _constraints: increase physicalmemory value
+- package auth_pam_tool setuid binary properly
+- add cracklib-password-check subpackage but do not build it right
+  now (cracklib-dict-full >= 2.9.0 is not available yet)
+- add rcmariadb compat link
+- add mariadb.rpmlintrc file
+- do not move my_safe_process to bindir but use rpmlint
+  arch-dependent-file-in-usr-share exception for it (this file
+  is used just for the testing and it doesn't have to be in bindir
+ 
 -------------------------------------------------------------------
 Thu Dec  5 10:41:56 UTC 2019 - pgajdos@suse.com
 
diff --git a/mariadb.rpmlintrc b/mariadb.rpmlintrc
new file mode 100644
index 0000000..12a88dc
--- /dev/null
+++ b/mariadb.rpmlintrc
@@ -0,0 +1,21 @@
+# This file contains a list of exceptions for rpmlint checker
+
+# Zero-length
+# Some test results can be zero-length files
+addFilter(r'(zero-length|pem-certificate) /usr/share/mysql-test/*')
+
+# Permissions
+# wsrep_sst_common
+#   It contains a parser of arguments for other sst scripts.
+#   It is meant to be sourced, not to be executed alone.
+#   So it correctly does not have shebang nor executable bit.
+addFilter(r'non-executable-in-bin /usr/bin/wsrep_sst_common 644')
+addFilter(r'script-without-shebang /usr/bin/wsrep_sst_common')
+
+# Wrong location
+# wsrep_check_version is a wsrep version check utility. Used in testing only.
+addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/mysql-test/lib/My/SafeProcess/wsrep_check_version')
+# my_safe_process is an utility that encapsulates process creation, monitoring and cleanup. Used in testing only.
+addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/mysql-test/lib/My/SafeProcess/my_safe_process')
+# pam_mariadb_mtr.so is a pam module to test pam authentication plugin. Used in pam.test only.
+addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/mysql-test/suite/plugins/pam/pam_mariadb_mtr.so')
diff --git a/mariadb.service b/mariadb.service
index 924f805..1ef7e86 100644
--- a/mariadb.service
+++ b/mariadb.service
@@ -20,21 +20,53 @@
 #      EOF
 
 [Unit]
-Description=MySQL server
+Description=MariaDB @VERSION@ database server
+Documentation=man:mysqld(8)
+Documentation=https://mariadb.com/kb/en/library/systemd/
 Wants=basic.target
 Conflicts=mariadb.target
 After=basic.target network.target 
 
+[Install]
+WantedBy=multi-user.target
+Alias=mysql.service
+
 [Service]
-Restart=on-abort
-Type=notify
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  install
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  upgrade
 ExecStart=/usr/lib/mysql/mysql-systemd-helper     start
 
+Type=notify
+User=mysql
+Group=mysql
+
+KillSignal=SIGTERM
+
+# Don't want to see an automated SIGKILL ever
+SendSIGKILL=no
+
+# Restart crashed server only, on-failure would also restart, for example, when
+# my.cnf contains unknown option
+Restart=on-abort
+RestartSec=5s
+
 # Configures the time to wait for start-up/stop
 TimeoutSec=300
 
-[Install]
-WantedBy=multi-user.target
-Alias=mysql.service
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
+# Execute pre and post scripts as root, otherwise it does it as User=
+PermissionsStartOnly=true
+
+UMask=007
+
diff --git a/mariadb.spec b/mariadb.spec
index 64860ad..7e057ee 100644
--- a/mariadb.spec
+++ b/mariadb.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package mariadb
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -49,12 +49,14 @@
 %endif
 # Define python interpreter version
 %if 0%{?suse_version} >= 1500
-%define python_path /usr/bin/python3            
-%else            
-%define python_path /usr/bin/python2            
+%define python_path %{_bindir}/python3
+%else
+%define python_path %{_bindir}/python2
 %endif
+# Build with cracklib plugin when cracklib-dict-full >= 2.9.0 is available
+%define with_cracklib_plugin 0
 Name:           mariadb
-Version:        10.3.20
+Version:        10.4.12
 Release:        0
 Summary:        Server part of MariaDB
 License:        SUSE-GPL-2.0-with-FLOSS-exception
@@ -73,11 +75,14 @@ Source17:       mysql-systemd-helper
 Source18:       mariadb@.service
 Source19:       macros.mariadb-test
 Source50:       suse_skipped_tests.list
+Source51:       mariadb.rpmlintrc
 Patch1:         mariadb-10.2.4-logrotate.patch
 Patch3:         mariadb-10.1.1-mysqld_multi-features.patch
 Patch7:         mariadb-10.0.15-logrotate-su.patch
 Patch8:         mariadb-10.2.4-fortify-and-O.patch
 Patch9:         mariadb-10.2.19-link-and-enable-c++11-atomics.patch
+Patch10:        mariadb-10.4.12-harden_setuid.patch
+Patch11:        mariadb-10.4.12-fix-install-db.patch
 # needed for bison SQL parser and wsrep API
 BuildRequires:  bison
 BuildRequires:  cmake
@@ -141,6 +146,7 @@ Requires:       /bin/hostname
 Requires:       perl-base
 # myrocks_hotbackup needs MySQLdb - if we want to use it under python3, we need python3-mysqlclient
 Requires:       python3-mysqlclient
+Requires(post): permissions
 Requires(pre):  shadow
 Recommends:     logrotate
 Conflicts:      mariadb-server
@@ -332,6 +338,22 @@ Obsoletes:      mysql-tools < %{version}
 A set of scripts for administering a MariaDB or developing
 applications with MariaDB.
 
+%if 0%{with_cracklib_plugin} > 0
+%package cracklib-password-check
+Summary:        The password strength checking plugin
+BuildRequires:  cracklib-devel >= 2.9.0
+BuildRequires:  cracklib-dict-small >= 2.9.0
+Requires:       %{name} = %{version}
+Requires:       cracklib-dict-small >= 2.9.0
+
+%description      cracklib-password-check
+cracklib_password_check is a password validation plugin. It uses the CrackLib
+library to check the strength of new passwords. CrackLib is installed by default
+in many Linux distributions, since the system's PAM authentication framework is
+usually configured to check the strength of new passwords with the pam_cracklib
+PAM module.
+%endif
+
 %prep
 %setup -q
 # Remove JAR files from the tarball (used for testing from the source)
@@ -341,6 +363,8 @@ find . -name "*.jar" -type f -exec rm --verbose -f {} \;
 %patch7
 %patch8
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
 
 cp %{_sourcedir}/suse-test-run .
 
@@ -399,7 +423,7 @@ export CXXFLAGS="$CFLAGS -felide-constructors"
        -DMYSQL_UNIX_ADDR="%{_rundir}/mysql/mysql.sock"              \
        -DINSTALL_UNIX_ADDRDIR="%{_rundir}/mysql/mysql.sock"         \
        -DINSTALL_MYSQLSHAREDIR=share/%{name}                        \
-       -DWITH_COMMENT="openSUSE mariadb rpm"                        \
+       -DWITH_COMMENT="MariaDB rpm"                                 \
        -DWITH_EXTRA_CHARSET=all                                     \
        -DDEFAULT_CHARSET=utf8mb4                                    \
        -DDEFAULT_COLLATION=utf8mb4_general_ci                       \
@@ -427,7 +451,7 @@ export CXXFLAGS="$CFLAGS -felide-constructors"
        -DWITH_INNODB_DISALLOW_WRITES=1                              \
        -DWITH_LIBARCHIVE=ON                                         \
        -DWITH_MARIABACKUP=ON                                        \
-       -DCOMPILATION_COMMENT="openSUSE package"                     \
+       -DCOMPILATION_COMMENT="MariaDB package"                      \
        -DDENABLE_DOWNLOADS=false                                    \
        -DINSTALL_PLUGINDIR_RPM="%{_lib}/mysql/plugin"               \
        -DINSTALL_LIBDIR_RPM="%{_lib}"                               \
@@ -507,7 +531,7 @@ rm -f %{buildroot}%{_datadir}/mysql/mysql.server
 rm -f %{buildroot}%{_datadir}/mysql/mysqld_multi.server
 # The old fork of mytop utility (we ship it as a separate package)
 rm -f %{buildroot}%{_bindir}/mytop
-# xtrabackup is not supported for MariaDB 10.3
+# xtrabackup is not supported for MariaDB >= 10.3
 rm -f %{buildroot}%{_bindir}/wsrep_sst_xtrabackup-v2
 rm -f %{buildroot}%{_bindir}/wsrep_sst_xtrabackup
 
@@ -537,19 +561,15 @@ rm %{buildroot}%{_datadir}/aclocal/mysql.m4
 rm %{buildroot}%{_mandir}/man1/mysql_config*.1*
 rm -r %{buildroot}%{_includedir}/mysql
 
-# mysql-test includes my_safe_process executable that should be moved to /usr/bin
-mv %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process %{buildroot}%{_bindir}
-ln -s ../../../../../bin/my_safe_process %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process
-
 # Rename the wsrep README so it corresponds with the other README names
 cp Docs/README-wsrep Docs/README.wsrep
 
 # Generate various filelists (binaries and manpages)
 # mariadb.files
-filelist mariabackup mbstream innochecksum mariadb-service-convert my_print_defaults myisam_ftdump myisamchk myisamlog myisampack mysql_fix_extensions  mysql_install_db mysql_secure_installation mysql_upgrade mysqld mysqld_multi mysqld_safe mysqlbinlog mysqldumpslow resolve_stack_dump resolveip {m,}aria_chk {m,}aria_dump_log {m,}aria_ftdump {m,}aria_pack {m,}aria_read_log tokuft_logprint tokuft_logdump tokuftdump mysql_ldb sst_dump myrocks_hotbackup >mariadb.files
+filelist mariabackup mariadb-backup mbstream innochecksum mariadb-service-convert my_print_defaults myisam_ftdump myisamchk myisamlog myisampack mysql_fix_extensions mariadb-fix-extensions mysql_install_db mariadb-install-db mysql_secure_installation mariadb-secure-installation mysql_upgrade mariadb-upgrade mysqld mariadbd mysqld_multi mariadbd-multi mysqld_safe mariadbd-safe mysqlbinlog mariadb-binlog mysqldumpslow mariadb-dumpslow resolve_stack_dump resolveip {m,}aria_chk {m,}aria_dump_log {m,}aria_ftdump {m,}aria_pack {m,}aria_read_log tokuft_logprint tokuft_logdump tokuftdump mysql_ldb mariadb-ldb sst_dump myrocks_hotbackup >mariadb.files
 
 # mariadb-client.files
-filelist mysql mysqladmin mysqlcheck mysqldump mysqlimport mysqlshow mysql_config_editor mysqld_safe_helper >mariadb-client.files
+filelist mysql mariadb mysqladmin mariadb-admin mysqlcheck mariadb-check mysqldump mariadb-dump mysqlimport mariadb-import mysqlshow mariadb-show mysql_config_editor mysqld_safe_helper mariadbd-safe-helper mariadb-client-test  >mariadb-client.files
 
 # Mysql has configuration file in _bindir
 if [ -f scripts/mysqlaccess.conf ] ; then
@@ -562,13 +582,13 @@ fi
 filelist galera_new_cluster galera_recovery wsrep_sst_common wsrep_sst_mariabackup wsrep_sst_mysqldump wsrep_sst_rsync wsrep_sst_rsync_wan >mariadb-galera.files
 
 # mariadb-bench.files
-filelist mysqlslap >mariadb-bench.files
+filelist mysqlslap mariadb-slap >mariadb-bench.files
 
 # mariadb-test.files
-filelist mysql_client_test mysql_client_test_embedded mysql_waitpid mysqltest mysqltest_embedded >mariadb-test.files
+filelist mysql_client_test mysql_client_test_embedded mariadb-client-test-embedded mysql_waitpid mariadb-waitpid mysqltest mariadb-test mysqltest_embedded mariadb-test-embedded >mariadb-test.files
 
 # mariadb-tools.files
-filelist msql2mysql mysql_plugin mysql_convert_table_format mysql_find_rows mysql_setpermission mysql_tzinfo_to_sql mysqlaccess mysqlhotcopy perror replace mysql_embedded >mariadb-tools.files
+filelist msql2mysql mysql_plugin mariadb-plugin mysql_convert_table_format mariadb-convert-table-format mysql_find_rows mariadb-find-rows mysql_setpermission mariadb-setpermission mysql_tzinfo_to_sql mariadb-tzinfo-to-sql mysqlaccess mariadb-access mysqlhotcopy mariadb-hotcopy perror replace mysql_embedded mariadb-embedded >mariadb-tools.files
 
 # All configuration files
 echo '%{_datadir}/mysql/*.cnf' >> mariadb.files
@@ -601,6 +621,7 @@ install -m 664 %{SOURCE14} %{buildroot}%{_sysconfdir}/my.cnf
 install -D -m 755 %{_sourcedir}/mysql-systemd-helper '%{buildroot}'%{_libexecdir}/mysql/mysql-systemd-helper
 sed -i 's|@MYSQLVER@|%{version}|' '%{buildroot}'%{_libexecdir}/mysql/mysql-systemd-helper
 ln -sf service '%{buildroot}'%{_sbindir}/rcmysql
+ln -sf service '%{buildroot}'%{_sbindir}/rcmariadb
 rm -rf '%{buildroot}'%{_sysconfdir}/init.d
 install -D -m 644 %{_sourcedir}/mariadb.service '%{buildroot}'%{_unitdir}/mariadb.service
 install -D -m 644 %{_sourcedir}/mariadb@.service '%{buildroot}'%{_unitdir}/mariadb@.service
@@ -663,13 +684,18 @@ mkdir -p '%{buildroot}'%{_localstatedir}/lib/mysql-files
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
 install -m 644 %{SOURCE19} %{buildroot}%{_rpmconfigdir}/macros.d
 
+# install pam_user_map.so to /lib64/security for non 32bit architectures
+%ifnarch i586 %{arm}
+mkdir -p %{buildroot}/%{_lib}/security
+mv %{buildroot}/lib/security/pam_user_map.so %{buildroot}/%{_lib}/security/
+%endif
 
 %check
 cd build
 
 # Run an extensive mysql test suite
-# If 0%{ignore_testsuite_result} == 1 then run all tests but ignore failures
-# If 0%{ignore_testsuite_result} == 0 then skip tests listed in unstable-tests
+# If ignore_testsuite_result == 1 then run all tests but ignore failures
+# If ignore_testsuite_result == 0 then skip tests listed in unstable-tests
 # (contains suse_skipped_tests.list) and don't ignore failures
 
 %if 0%{run_testsuite} > 0
@@ -716,6 +742,8 @@ getent passwd mysql | cut -d: -f7 | grep '\b/bin/false\b' &>/dev/null || usermod
 %service_add_post mariadb.service
 %tmpfiles_create %{_tmpfilesdir}/mariadb.conf
 
+%set_permissions %{_libdir}/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
+
 # SLE11 Migration support
 for i in protected tmp; do
     rmdir "$datadir"/.$i 2>/dev/null || :
@@ -737,14 +765,25 @@ Your configuration was left intact and you can see the new configuration in
 EOF
 fi
 
-# Warn on first run
+# Decide if the upgrade is needed
 datadir="`%{_bindir}/my_print_defaults mysqld mysql_server | sed -n 's|--datadir=||p'`"
 [ -n "$datadir" ] || datadir="%{_localstatedir}/lib/mysql"
+
+# NOTE: .run-mysql_upgrade was moved and renamed to .mariadb_run_upgrade. Remove the old file and
+# create a new one if needed.
+rm -f "$datadir/.run-mysql_upgrade"
 if [ -d "$datadir/mysql" ]; then
-    touch "$datadir/.run-mysql_upgrade"
-    chmod 640 "$datadir/.run-mysql_upgrade"
+	touch "%{_localstatedir}/lib/misc/.mariadb_run_upgrade"
 fi
-if [ \! -f "$datadir/mysql_upgrade_info" ]; then
+
+# Manage showing of a README or upgrade messages
+# NOTE: mysql_upgrade_info was moved and renamed to mariadb_upgrade_info. Copy the content and remove it
+if [ -f "$datadir/mysql_upgrade_info" ]; then
+	cat "$datadir/mysql_upgrade_info" > "%{_localstatedir}/lib/misc/mariadb_upgrade_info"
+	rm -f "$datadir/mysql_upgrade_info"
+fi
+
+if [ \! -f "%{_localstatedir}/lib/misc/mariadb_upgrade_info" ]; then
     if [ $1 -eq 1 ]; then
         cat >> %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-something << EOF
 
@@ -754,8 +793,8 @@ EOF
     fi
 else
     MYSQLVER="`echo %{version} | sed 's|\.[0-9]\+$||'`"
-    if [ -f "$datadir/mysql_upgrade_info" ] && \
-        [ -z "`grep "^$MYSQLVER" "$datadir/mysql_upgrade_info" 2> /dev/null`" ]; then
+    if [ -f "%{_localstatedir}/lib/misc/mariadb_upgrade_info" ] && \
+        [ -z "`grep "^$MYSQLVER" "%{_localstatedir}/lib/misc/mariadb_upgrade_info" 2> /dev/null`" ]; then
     cat >> %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-something << EOF
 
 WARNING: You are upgrading from different stable version of MySQL!
@@ -769,6 +808,9 @@ EOF
 fi
 exit 0
 
+%verifyscript
+%verify_permissions %{_libdir}/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
+
 %preun
 %service_del_preun mariadb.service
 
@@ -783,6 +825,7 @@ exit 0
 %dir %attr(0755, root, mysql) %{_sysconfdir}/my.cnf.d
 %config(noreplace) %attr(0644, root, mysql) %{_sysconfdir}/my.cnf.d/*
 %exclude %{_sysconfdir}/my.cnf.d/50-galera.cnf
+%config(noreplace) %{_sysconfdir}/security/user_map.conf
 %config %{_sysconfdir}/logrotate.d/%{name}
 %doc %{_defaultdocdir}/%{name}
 %dir %{_libexecdir}/mysql
@@ -795,6 +838,7 @@ exit 0
 %{_unitdir}/mysql@.service
 %{_tmpfilesdir}/mariadb.conf
 %{_sbindir}/rcmysql
+%{_sbindir}/rcmariadb
 %dir %{_datadir}/%{name}
 %dir %{_datadir}/mysql
 %{_datadir}/%{name}/charsets/
@@ -805,6 +849,12 @@ exit 0
 %dir %{_libdir}/mysql/plugin
 %{_libdir}/mysql/plugin/*.so
 %exclude %{_libdir}/mysql/plugin/dialog*.so
+%if 0%{with_cracklib_plugin} > 0
+%exclude %{_libdir}/mysql/plugin/cracklib_password_check.so
+%endif
+/%{_lib}/security/pam_user_map.so
+%dir %attr(0750, root, mysql) %{_libdir}/mysql/plugin/auth_pam_tool_dir
+%verify(not mode) %attr(4755,root,root) %{_libdir}/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
 %ghost %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-something
 %dir %attr(0750, mysql, mysql) %{_localstatedir}/lib/mysql-files
 %if 0%{with_mroonga} > 0
@@ -857,7 +907,6 @@ exit 0
 %{_datadir}/sql-bench
 
 %files test -f mariadb-test.files
-%{_bindir}/my_safe_process
 %{_bindir}/test-connect-t
 %{_mandir}/man1/my_safe_process.1%{?ext_man}
 %{_mandir}/man1/mysql-test-run.pl.1%{?ext_man}
@@ -872,4 +921,9 @@ exit 0
 %{_bindir}/mysqlanalyze
 %{_bindir}/mysqloptimize
 
+%if 0%{with_cracklib_plugin} > 0
+%files cracklib-password-check
+%{_libdir}/mysql/plugin/cracklib_password_check.so
+%endif
+
 %changelog
diff --git a/mariadb@.service b/mariadb@.service
index f442dc4..8fdd29e 100644
--- a/mariadb@.service
+++ b/mariadb@.service
@@ -20,21 +20,53 @@
 #      EOF
 
 [Unit]
-Description=MySQL server - %I instance
+Description=MariaDB @VERSION@ database server - %I instance
+Documentation=man:mysqld(8)
+Documentation=https://mariadb.com/kb/en/library/systemd/
 Wants=basic.target
 PartOf=mariadb.target
 After=basic.target network.target
 
+[Install]
+WantedBy=multi-user.target
+Alias=mysql.service
+
 [Service]
-Restart=on-abort
-Type=notify
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  install %i
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  upgrade %i
 ExecStart=/usr/lib/mysql/mysql-systemd-helper     start   %i
 
+Type=notify
+User=mysql
+Group=mysql
+
+KillSignal=SIGTERM
+
+# Don't want to see an automated SIGKILL ever
+SendSIGKILL=no
+
+# Restart crashed server only, on-failure would also restart, for example, when
+# my.cnf contains unknown option
+Restart=on-abort
+RestartSec=5s
+
 # Configures the time to wait for start-up/stop
 TimeoutSec=300
 
-[Install]
-WantedBy=multi-user.target
-Alias=mysql.service
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
+# Execute pre and post scripts as root, otherwise it does it as User=
+PermissionsStartOnly=true
+
+UMask=007
+
diff --git a/mysql-systemd-helper b/mysql-systemd-helper
index 7676af2..2859307 100644
--- a/mysql-systemd-helper
+++ b/mysql-systemd-helper
@@ -10,6 +10,9 @@ read_config() {
 	MYSQLVER="$(echo @MYSQLVER@ | sed 's|\.[0-9]\+$||')"
 	mysql_daemon_user=mysql
 	mysql_daemon_group=mysql
+	# status information directory (e.g. info about a necessity of upgrade, current version etc)
+	mariadb_status_dir="/var/lib/misc"
+	
 	if [[ -z "$INSTANCE" ]]; then
 		datadir=/var/lib/mysql
 		socket="/run/mysql/mysql.sock"
@@ -54,8 +57,7 @@ mysql_install() {
 		echo "Creating MySQL privilege database... "
 		mysql_install_db --rpm --user="$mysql_daemon_user" --datadir="$datadir" || \
 		die "Creation of MySQL database in $datadir failed"
-		echo -n "$MYSQLVER" > "$datadir"/mysql_upgrade_info
-		chmod 640 "$datadir/mysql_upgrade_info"
+		echo -n "$MYSQLVER" > "$mariadb_status_dir"/mariadb_upgrade_info
 	fi
 }
 
@@ -63,7 +65,7 @@ mysql_install() {
 mysql_upgrade() {
 	# Run mysql_upgrade on every package install/upgrade. Not always
 	# necessary, but doesn't do any harm.
-	if [[ -f "$datadir/.run-mysql_upgrade" ]]; then
+	if [[ -f "$mariadb_status_dir/.mariadb_run_upgrade" ]]; then
 		echo "Checking MySQL configuration for obsolete options..."
 		sed -i -e 's|^\([[:blank:]]*\)skip-locking|\1skip-external-locking|' \
 		       -e 's|^\([[:blank:]]*skip-federated\)|#\1|' /etc/my.cnf
@@ -116,10 +118,9 @@ mysql_upgrade() {
 		if /usr/bin/mysql_upgrade --no-defaults --force --socket="$protected/mysql.sock"; then
 			echo "Everything upgraded successfully"
 			up_ok=""
-			rm -f "$datadir/.run-mysql_upgrade"
-			[[ $(grep -q "^$MYSQLVER" "$datadir/mysql_upgrade_info" 2> /dev/null) ]] || \
-				echo -n "$MYSQLVER" > "$datadir/mysql_upgrade_info"
-				chmod 640 "$datadir/mysql_upgrade_info"
+			rm -f "$mariadb_status_dir/.mariadb_run_upgrade"
+			[[ $(grep -q "^$MYSQLVER" "$mariadb_status_dir/mariadb_upgrade_info" 2> /dev/null) ]] || \
+				echo -n "$MYSQLVER" > "$mariadb_status_dir/mariadb_upgrade_info"
 		else
 			echo "Upgrade failed"
 			up_ok="false"
@@ -178,10 +179,8 @@ LC_ALL=C
 
 INSTANCE="$2"
 read_config
-mkdir -p /run/mysql
-# fix permissions for /run/mysql (bsc#1038740)
-chmod 755 /run/mysql
-chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" /run/mysql
+# Make sure that /run/mysql is created and has correct permissions (bsc#1038740)
+systemd-tmpfiles --create /usr/lib/tmpfiles.d/mariadb.conf
 case "$1" in
 	install)
 		mysql_install ;;
diff --git a/suse_skipped_tests.list b/suse_skipped_tests.list
index 9f0a555..2841291 100644
--- a/suse_skipped_tests.list
+++ b/suse_skipped_tests.list
@@ -17,16 +17,28 @@ rpl.rpl_row_img_blobs                        : all MDEV-13875
 rpl.rpl_row_img_eng_min                      : all MDEV-13875
 rpl.rpl_row_img_eng_noblob                   : all MDEV-13875
 
+# The tests of plugins we don't build
+main.plugin_auth                             : since 10.4.10 - all, we don't build mysql_clear_password plugin
+plugins.auth_ed25519                         : since 10.4.10 - all, we don't build client_ed25519 plugin
+plugins.multiauth                            : since 10.4.10 - all, we don't build client_ed25519 plugin
+
 #----------------------------------------------------------------
 
 # Needs to be investigated (issues trackers will be added)
 sys_vars.slave_parallel_threads_basic        : since 10.3.16 - x86_64, i386, s390x, armv7l, aarch64, ppc64, ppc64le
-rocksdb.2pc_group_commit                     : since 10.3.16 - x86_64 MDEV-14455
-rocksdb.read_only_tx                         : since 10.3.16 - x86_64 rocksdb tests are considered unstable
-rocksdb.shutdown                             : since 10.3.16 - x86_64 rocksdb tests are considered unstable
-rocksdb.index_merge_rocksdb                  : since 10.3.16 - x86_64 rocksdb tests are considered unstable
-rocksdb_rpl.mdev12179                        : since 10.3.16 - x86_64 MDEV-16632
 main.gis_notembedded                         : since 10.3.16 - x86_64, i386, s390x, armv7l, aarch64, ppc64, ppc64le
 versioning.partition                         : since 10.3.16 - armv7l
 innodb.innodb-page_compression_lzma          : since 10.3.20 - armv7l
-
+rpl.rpl_ip_mix                               : since 10.4.10 - all
+rpl.rpl_ip_mix2                              : since 10.4.10 - all
+rpl.rpl_ipv4_as_ipv6                         : since 10.4.10 - all
+rpl.rpl_ipv6                                 : since 10.4.10 - all 
+perfschema.socket_instances_func             : since 10.4.10 - all 
+main.ipv4_and_ipv6                           : since 10.4.10 - all 
+main.ipv4_as_ipv6                            : since 10.4.10 - all 
+main.ipv6                                    : since 10.4.10 - all 
+main.information_schema                      : since 10.4.10 - all 
+main.system_mysql_db                         : since 10.4.10 - all 
+main.gis_notembedded                         : since 10.4.10 - all 
+funcs_1.is_columns_mysql                     : since 10.4.10 - all 
+sys_vars.tcp_nodelay                         : since 10.4.10 - all