MDEV-18297 How to reset a forgotten root password

After FLUSH PRIVILEGES remember if the connection started under --skip-grant-tables and keep it all-powerful, not a lowly anonymous. One could use this connection to reset passwords as needed. Also fix a crash in SHOW CREATE USER

MDEV-18297 How to reset a forgotten root password
After FLUSH PRIVILEGES remember if the connection started under --skip-grant-tables and keep it all-powerful, not a lowly anonymous. One could use this connection to reset passwords as needed. Also fix a crash in SHOW CREATE USER
4386d935 · Sergei Golubchik · a94b20a8 · 4386d935 · 4386d935 · 4386d935
Commit 4386d935 authored Feb 19, 2019 by Sergei Golubchik
5 changed files
--- a/mysql-test/main/skip_grants.result
+++ b/mysql-test/main/skip_grants.result
 use test;
-DROP VIEW IF EXISTS v1;
-DROP VIEW IF EXISTS v2;
-DROP VIEW IF EXISTS v3;
-DROP TABLE IF EXISTS t1;
-DROP PROCEDURE IF EXISTS p1;
-DROP PROCEDURE IF EXISTS p2;
-DROP PROCEDURE IF EXISTS p3;
-DROP FUNCTION IF EXISTS f1;
-DROP FUNCTION IF EXISTS f2;
-DROP FUNCTION IF EXISTS f3;
 CREATE TABLE t1(c INT);
 CREATE TRIGGER t1_bi BEFORE INSERT ON t1
 FOR EACH ROW
@@ -95,3 +85,29 @@ Acl_role_grants	0
 Acl_roles	0
 Acl_table_grants	0
 Acl_users	0
+show create user root@localhost;
+ERROR HY000: The MariaDB server is running with the --skip-grant-tables option so it cannot execute this statement
+insert mysql.global_priv values ('foo', 'bar', '{}');
+insert mysql.global_priv values ('baz', 'baz', '{"plugin":"baz"}');
+set password for bar@foo = password("pass word");
+ERROR HY000: The MariaDB server is running with the --skip-grant-tables option so it cannot execute this statement
+flush privileges;
+show create user root@localhost;
+CREATE USER for root@localhost
+CREATE USER 'root'@'localhost'
+show create user bar@foo;
+CREATE USER for bar@foo
+CREATE USER 'bar'@'foo'
+show create user baz@baz;
+CREATE USER for baz@baz
+CREATE USER 'baz'@'baz' IDENTIFIED VIA baz
+set password for bar@foo = password("pass word");
+show create user bar@foo;
+CREATE USER for bar@foo
+CREATE USER 'bar'@'foo' IDENTIFIED BY PASSWORD '*EDBBEA7F4E7B5D8B0BC8D7AC5D1936FB7DA10611'
+alter user baz@baz identified with mysql_native_password as password("baz");
+show create user baz@baz;
+CREATE USER for baz@baz
+CREATE USER 'baz'@'baz' IDENTIFIED BY PASSWORD '*E52096EF8EB0240275A7FE9E069101C33F98CF07'
+drop user bar@foo;
+drop user baz@baz;
--- a/mysql-test/main/skip_grants.test
+++ b/mysql-test/main/skip_grants.test
@@ -15,26 +15,6 @@ use test;
 #   - BUG#13504: creation view with DEFINER clause if --skip-grant-tables
 #

-# Prepare.
-
--disable_warnings
-
-DROP VIEW IF EXISTS v1;
-DROP VIEW IF EXISTS v2;
-DROP VIEW IF EXISTS v3;
-
-DROP TABLE IF EXISTS t1;
-
-DROP PROCEDURE IF EXISTS p1;
-DROP PROCEDURE IF EXISTS p2;
-DROP PROCEDURE IF EXISTS p3;
-
-DROP FUNCTION IF EXISTS f1;
-DROP FUNCTION IF EXISTS f2;
-DROP FUNCTION IF EXISTS f3;
-
--enable_warnings
-
 # Test case.

 CREATE TABLE t1(c INT);
@@ -137,3 +117,26 @@ select no_such_function(1);
 # MDEV-8280 crash in 'show global status' with --skip-grant-tables
 #
 show global status like 'Acl%';
+
+#
+# MDEV-18297
+# How to reset a forgotten root password
+#
+--error ER_OPTION_PREVENTS_STATEMENT
+show create user root@localhost;
+insert mysql.global_priv values ('foo', 'bar', '{}');
+insert mysql.global_priv values ('baz', 'baz', '{"plugin":"baz"}');
+--error ER_OPTION_PREVENTS_STATEMENT
+set password for bar@foo = password("pass word");
+flush privileges;
+show create user root@localhost;
+show create user bar@foo;
+show create user baz@baz;
+set password for bar@foo = password("pass word");
+show create user bar@foo;
+alter user baz@baz identified with mysql_native_password as password("baz");
+show create user baz@baz;
+drop user bar@foo;
+drop user baz@baz;
+# need to restart the server to restore the --skip-grant state
+--source include/restart_mysqld.inc
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -2557,6 +2557,7 @@ static bool acl_load(THD *thd, const Grant_tables& tables)

  init_check_host();

+  thd->bootstrap= !initialized; // keep FLUSH PRIVILEGES connection special
  initialized=1;
  DBUG_RETURN(FALSE);
 }
@@ -8908,6 +8909,11 @@ bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
  uint head_length;
  DBUG_ENTER("mysql_show_create_user");

+  if (!initialized)
+  {
+    my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--skip-grant-tables");
+    DBUG_RETURN(TRUE);
+  }
  if (check_show_access(thd, lex_user, &username, &hostname, NULL))
    DBUG_RETURN(TRUE);


--- a/sql/sql_db.cc
+++ b/sql/sql_db.cc
@@ -882,7 +882,7 @@ mysql_rm_db_internal(THD *thd, const LEX_CSTRING *db, bool if_exists, bool silen
      lock_db_routines(thd, dbnorm))
    goto exit;

-  if (!thd->bootstrap && !rm_mysql_schema)
+  if (!rm_mysql_schema)
  {
    for (table= tables; table; table= table->next_local)
    {

--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -2098,16 +2098,13 @@ bool mysql_rm_table(THD *thd,TABLE_LIST *tables, bool if_exists,
      }
    }
    /* We remove statistics for table last, after we have the DDL lock */
-    if (!thd->bootstrap)
+    for (table= tables; table; table= table->next_local)
    {
-      for (table= tables; table; table= table->next_local)
-      {
-        LEX_CSTRING db_name= table->db;
-        LEX_CSTRING table_name= table->table_name;
-        if (table->open_type == OT_BASE_ONLY ||
-            !thd->find_temporary_table(table))
-          (void) delete_statistics_for_table(thd, &db_name, &table_name);
-      }
+      LEX_CSTRING db_name= table->db;
+      LEX_CSTRING table_name= table->table_name;
+      if (table->open_type == OT_BASE_ONLY ||
+          !thd->find_temporary_table(table))
+        (void) delete_statistics_for_table(thd, &db_name, &table_name);
    }
  }