Commit 0dcca07f authored by Mats Kindahl's avatar Mats Kindahl

Bug #39106:

SUPER is not required to change binlog format for session

A user without SUPER privileges can change the value of the
session variable BINLOG_FORMAT, causing problems for a DBA.

This changeset requires a user to have SUPER privileges to
change the value of the session variable BINLOG_FORMAT, and
not only the global variable BINLOG_FORMAT.


mysql-test/suite/binlog/t/binlog_grant.test:
  Adding test to test grants needed for SQL_LOG_BIN and BINLOG_FORMAT.
sql/set_var.cc:
  Adding code to check that user has SUPER permission
  needed to change the value of BINLOG_FORMAT.
sql/set_var.h:
  Adding function sys_var_thd_binlog_format::check()
parent 9c8af660
reset master;
set @saved_binlog_format = @@global.binlog_format;
create user mysqltest_1@localhost;
show grants for mysqltest_1@localhost;
Grants for mysqltest_1@localhost
GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost'
**** Variable SQL_LOG_BIN ****
[root]
set global sql_log_bin = 1;
ERROR HY000: Variable 'sql_log_bin' is a SESSION variable and can't be used with SET GLOBAL
set session sql_log_bin = 1;
[plain]
set global sql_log_bin = 1;
ERROR HY000: Variable 'sql_log_bin' is a SESSION variable and can't be used with SET GLOBAL
set session sql_log_bin = 1;
ERROR 42000: Access denied; you need the SUPER privilege for this operation
**** Variable BINLOG_FORMAT ****
[root]
set global binlog_format = row;
set session binlog_format = row;
[plain]
set global binlog_format = row;
ERROR 42000: Access denied; you need the SUPER privilege for this operation
set session binlog_format = row;
ERROR 42000: Access denied; you need the SUPER privilege for this operation
**** Clean up ****
set global binlog_format = @saved_binlog_format;
drop user mysqltest_1@localhost;
# Test grants for various objects (especially variables) related to
# the binary log
source include/have_log_bin.inc;
connection default;
--disable_warnings
reset master;
--enable_warnings
set @saved_binlog_format = @@global.binlog_format;
create user mysqltest_1@localhost;
show grants for mysqltest_1@localhost;
connect (plain,localhost,mysqltest_1,,test);
connect (root,localhost,root,,test);
# Testing setting both session and global SQL_LOG_BIN variable both as
# root and as plain user.
--echo **** Variable SQL_LOG_BIN ****
connection root;
--echo [root]
--error ER_LOCAL_VARIABLE
set global sql_log_bin = 1;
set session sql_log_bin = 1;
connection plain;
--echo [plain]
--error ER_LOCAL_VARIABLE
set global sql_log_bin = 1;
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
set session sql_log_bin = 1;
# Testing setting both session and global BINLOG_FORMAT variable both
# as root and as plain user.
--echo **** Variable BINLOG_FORMAT ****
connection root;
--echo [root]
set global binlog_format = row;
set session binlog_format = row;
connection plain;
--echo [plain]
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
set global binlog_format = row;
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
set session binlog_format = row;
--echo **** Clean up ****
disconnect plain;
disconnect root;
connection default;
set global binlog_format = @saved_binlog_format;
drop user mysqltest_1@localhost;
......@@ -1162,6 +1162,21 @@ void fix_slave_exec_mode(enum_var_type type)
bit_do_set(slave_exec_mode_options, SLAVE_EXEC_MODE_STRICT);
}
bool sys_var_thd_binlog_format::check(THD *thd, set_var *var) {
/*
All variables that affect writing to binary log (either format or
turning logging on and off) use the same checking. We call the
superclass ::check function to assign the variable correctly, and
then check the value.
*/
bool result= sys_var_thd_enum::check(thd, var);
if (!result)
result= check_log_update(thd, var);
return result;
}
bool sys_var_thd_binlog_format::is_readonly() const
{
/*
......
......@@ -1126,6 +1126,7 @@ class sys_var_thd_binlog_format :public sys_var_thd_enum
&binlog_format_typelib,
fix_binlog_format_after_update)
{};
bool check(THD *thd, set_var *var);
bool is_readonly() const;
};
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment