Commit 461f754c authored by Tatiana A. Nurnberg's avatar Tatiana A. Nurnberg

Bug#43748: crash when non-super user tries to kill the replication threads

manual merge. also adds test specific to 5.1+

mysql-test/suite/rpl/r/rpl_temporary.result:
  show that a non-privileged user trying to
  kill system-threads no longer crashes the
  server. test in 5.1+ only.
mysql-test/suite/rpl/t/rpl_temporary.test:
  show that a non-privileged user trying to
  kill system-threads no longer crashes the
  server. test in 5.1+ only.
sql/sql_class.cc:
  manual merge
sql/sql_class.h:
  manual merge
sql/sql_parse.cc:
  manual merge
parents 6df3b6fe eeef9467
...@@ -108,3 +108,13 @@ select * from t1; ...@@ -108,3 +108,13 @@ select * from t1;
a a
1 1
drop table t1; drop table t1;
Bug#43748
make a non-privileged user on slave.
FLUSH PRIVILEGES;
GRANT USAGE ON *.* TO user43748@127.0.0.1 IDENTIFIED BY 'meow';
try to KILL system-thread as non-privileged user.
KILL `select id from information_schema.processlist where command='Binlog Dump'`;
ERROR HY000: You are not owner of thread `select id from information_schema.processlist where command='Binlog Dump'`
throw out test-user on slave.
DROP USER user43748@127.0.0.1;
done. back to master.
...@@ -222,4 +222,42 @@ drop table t1; ...@@ -222,4 +222,42 @@ drop table t1;
# Delete the anonymous users # Delete the anonymous users
source include/delete_anonymous_users.inc; source include/delete_anonymous_users.inc;
#
# Bug#43748: crash when non-super user tries to kill the replication threads
#
--echo Bug#43748
connection slave;
--echo make a non-privileged user on slave.
FLUSH PRIVILEGES;
GRANT USAGE ON *.* TO user43748@127.0.0.1 IDENTIFIED BY 'meow';
let $id = `SELECT id FROM information_schema.processlist WHERE user='system user' LIMIT 1`;
connect (cont43748,127.0.0.1,user43748,meow,test,$SLAVE_MYPORT,);
connection cont43748;
--echo try to KILL system-thread as non-privileged user.
--replace_result $id "`select id from information_schema.processlist where command='Binlog Dump'`"
--error ER_KILL_DENIED_ERROR
eval KILL $id;
disconnect cont43748;
connection slave;
--echo throw out test-user on slave.
DROP USER user43748@127.0.0.1;
connection master;
--echo done. back to master.
# End of tests # End of tests
...@@ -2805,6 +2805,14 @@ Security_context::restore_security_context(THD *thd, ...@@ -2805,6 +2805,14 @@ Security_context::restore_security_context(THD *thd,
} }
#endif #endif
bool Security_context::user_matches(Security_context *them)
{
return ((user != NULL) && (them->user != NULL) &&
!strcmp(user, them->user));
}
/**************************************************************************** /****************************************************************************
Handling of open and locked tables states. Handling of open and locked tables states.
......
...@@ -813,6 +813,7 @@ class Security_context { ...@@ -813,6 +813,7 @@ class Security_context {
void void
restore_security_context(THD *thd, Security_context *backup); restore_security_context(THD *thd, Security_context *backup);
#endif #endif
bool user_matches(Security_context *);
}; };
......
...@@ -6890,8 +6890,26 @@ uint kill_one_thread(THD *thd, ulong id, bool only_kill_query) ...@@ -6890,8 +6890,26 @@ uint kill_one_thread(THD *thd, ulong id, bool only_kill_query)
VOID(pthread_mutex_unlock(&LOCK_thread_count)); VOID(pthread_mutex_unlock(&LOCK_thread_count));
if (tmp) if (tmp)
{ {
/*
If we're SUPER, we can KILL anything, including system-threads.
No further checks.
KILLer: thd->security_ctx->user could in theory be NULL while
we're still in "unauthenticated" state. This is a theoretical
case (the code suggests this could happen, so we play it safe).
KILLee: tmp->security_ctx->user will be NULL for system threads.
We need to check so Jane Random User doesn't crash the server
when trying to kill a) system threads or b) unauthenticated users'
threads (Bug#43748).
If user of both killer and killee are non-NULL, proceed with
slayage if both are string-equal.
*/
if ((thd->security_ctx->master_access & SUPER_ACL) || if ((thd->security_ctx->master_access & SUPER_ACL) ||
!strcmp(thd->security_ctx->user, tmp->security_ctx->user)) thd->security_ctx->user_matches(tmp->security_ctx))
{ {
tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION); tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION);
error=0; error=0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment