Commit bdf2c4de authored by Harin Vadodaria's avatar Harin Vadodaria

Bug #14211140: CRASH WHEN GRANTING OR REVOKING PROXY

               PRIVILEGES

Description: (user,host) pair from security context is used
             privilege checking at the time of granting or
             revoking proxy privileges. This creates problem
             when server is started with
             --skip-name-resolve option because host will not
             contain any value. Checks should be dependent on
             consistent values regardless the way server is
             started. Further, privilege check should use
             (priv_user,priv_host) pair rather than values
             obtained from inbound connection because
             this pair represents the correct account context
             obtained from mysql.user table.
parent 19976392
...@@ -124,17 +124,20 @@ ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost' ...@@ -124,17 +124,20 @@ ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
this should fail : not the same user this should fail : not the same user
GRANT PROXY ON grant_plug TO grant_plug_dest; GRANT PROXY ON grant_plug TO grant_plug_dest;
ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost' ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
this should fail : same user, but on a different host This is a valid grant
GRANT PROXY ON grant_plug_dest TO grant_plug; GRANT PROXY ON grant_plug_dest TO grant_plug;
ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost' REVOKE PROXY ON grant_plug_dest FROM grant_plug;
this should work : same user
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug_dest2;
REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug_dest2;
this should work : same user this should work : same user
GRANT PROXY ON grant_plug_dest TO grant_plug_dest2;
REVOKE PROXY ON grant_plug_dest FROM grant_plug_dest2;
this should fail : not the same user
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION; GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION;
ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
this should fail : not the same user
REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug; REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug;
ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
this should fail : can't create users this should fail : can't create users
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug@localhost; GRANT PROXY ON grant_plug_dest TO grant_plug@localhost;
ERROR 42000: You are not allowed to create a user with GRANT ERROR 42000: You are not allowed to create a user with GRANT
in default connection in default connection
# test what root can grant # test what root can grant
...@@ -152,12 +155,12 @@ GRANT PROXY ON future_user TO grant_plug; ...@@ -152,12 +155,12 @@ GRANT PROXY ON future_user TO grant_plug;
in default connection in default connection
SHOW GRANTS FOR grant_plug; SHOW GRANTS FOR grant_plug;
Grants for grant_plug@% Grants for grant_plug@%
GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%' WITH GRANT OPTION GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%'
GRANT PROXY ON 'future_user'@'%' TO 'grant_plug'@'%' GRANT PROXY ON 'future_user'@'%' TO 'grant_plug'@'%'
REVOKE PROXY ON future_user FROM grant_plug; REVOKE PROXY ON future_user FROM grant_plug;
SHOW GRANTS FOR grant_plug; SHOW GRANTS FOR grant_plug;
Grants for grant_plug@% Grants for grant_plug@%
GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%' WITH GRANT OPTION GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%'
## testing drop user ## testing drop user
CREATE USER test_drop@localhost; CREATE USER test_drop@localhost;
GRANT PROXY ON future_user TO test_drop@localhost; GRANT PROXY ON future_user TO test_drop@localhost;
......
...@@ -179,21 +179,35 @@ GRANT PROXY ON ''@'' TO grant_plug; ...@@ -179,21 +179,35 @@ GRANT PROXY ON ''@'' TO grant_plug;
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR --error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
GRANT PROXY ON grant_plug TO grant_plug_dest; GRANT PROXY ON grant_plug TO grant_plug_dest;
--echo this should fail : same user, but on a different host # Security context in THD contains two pairs of (user,host)
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR # 1. (user,host) pair referring to inbound connection
# 2. (priv_user,priv_host) pair obtained from mysql.user table after doing
# authnetication of incoming connection.
# Granting/revoking proxy privileges, privileges should be checked wrt
# (priv_user, priv_host) tuple that is obtained from mysql.user table
# Following is a valid grant because effective user of connection is
# grant_plug_dest@% and statement is trying to grant proxy on the same
# user.
--echo This is a valid grant
GRANT PROXY ON grant_plug_dest TO grant_plug; GRANT PROXY ON grant_plug_dest TO grant_plug;
REVOKE PROXY ON grant_plug_dest FROM grant_plug;
--echo this should work : same user --echo this should work : same user
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug_dest2; GRANT PROXY ON grant_plug_dest TO grant_plug_dest2;
REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug_dest2; REVOKE PROXY ON grant_plug_dest FROM grant_plug_dest2;
--echo this should work : same user # grant_plug_dest@localhost is not the same as grant_plug_dest@%
# so following grant/revoke should fail
--echo this should fail : not the same user
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION; GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION;
--echo this should fail : not the same user
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug; REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug;
--echo this should fail : can't create users --echo this should fail : can't create users
--error ER_CANT_CREATE_USER_WITH_GRANT --error ER_CANT_CREATE_USER_WITH_GRANT
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug@localhost; GRANT PROXY ON grant_plug_dest TO grant_plug@localhost;
connection default; connection default;
--echo in default connection --echo in default connection
......
...@@ -7256,14 +7256,25 @@ acl_check_proxy_grant_access(THD *thd, const char *host, const char *user, ...@@ -7256,14 +7256,25 @@ acl_check_proxy_grant_access(THD *thd, const char *host, const char *user,
DBUG_RETURN(FALSE); DBUG_RETURN(FALSE);
} }
/* one can grant proxy to himself to others */ /*
if (!strcmp(thd->security_ctx->user, user) && one can grant proxy for self to others.
Security context in THD contains two pairs of (user,host):
1. (user,host) pair referring to inbound connection.
2. (priv_user,priv_host) pair obtained from mysql.user table after doing
authnetication of incoming connection.
Privileges should be checked wrt (priv_user, priv_host) tuple, because
(user,host) pair obtained from inbound connection may have different
values than what is actually stored in mysql.user table and while granting
or revoking proxy privilege, user is expected to provide entries mentioned
in mysql.user table.
*/
if (!strcmp(thd->security_ctx->priv_user, user) &&
!my_strcasecmp(system_charset_info, host, !my_strcasecmp(system_charset_info, host,
thd->security_ctx->host)) thd->security_ctx->priv_host))
{ {
DBUG_PRINT("info", ("strcmp (%s, %s) my_casestrcmp (%s, %s) equal", DBUG_PRINT("info", ("strcmp (%s, %s) my_casestrcmp (%s, %s) equal",
thd->security_ctx->user, user, thd->security_ctx->priv_user, user,
host, thd->security_ctx->host)); host, thd->security_ctx->priv_host));
DBUG_RETURN(FALSE); DBUG_RETURN(FALSE);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment