MDEV-17456 Malicious SUPER user can possibly change audit log configuration without leaving traces.

Fix for the SET GLOBAL server_audit_loggin=on; added.

MDEV-17456 Malicious SUPER user can possibly change audit log configuration without leaving traces.
Fix for the SET GLOBAL server_audit_loggin=on; added.
d4e9a50e · Alexey Botchkov · 395ce1dc · d4e9a50e · d4e9a50e
Commit d4e9a50e authored May 19, 2019 by Alexey Botchkov
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 6 deletions

mysql-test/suite/plugins/r/server_audit.result mysql-test/suite/plugins/r/server_audit.result +2 -0

plugin/server_audit/server_audit.c plugin/server_audit/server_audit.c +9 -6

No files found.
--- a/mysql-test/suite/plugins/r/server_audit.result
+++ b/mysql-test/suite/plugins/r/server_audit.result
@@ -271,6 +271,7 @@ TIME,HOSTNAME,root,localhost,ID,0,CONNECT,mysql,,0
 TIME,HOSTNAME,root,localhost,ID,0,DISCONNECT,mysql,,0
 TIME,HOSTNAME,no_such_user,localhost,ID,0,FAILED_CONNECT,,,ID
 TIME,HOSTNAME,no_such_user,localhost,ID,0,DISCONNECT,,,0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_incl_users=\'odin, dva, tri\'',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_incl_users=\'odin, root, dva, tri\'',0
 TIME,HOSTNAME,root,localhost,ID,ID,CREATE,test,t2,
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'create table t2 (id int)',0
@@ -381,6 +382,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY ***
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'insert into t1 values (1), (2)',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= off',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= on',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0

--- a/plugin/server_audit/server_audit.c
+++ b/plugin/server_audit/server_audit.c
@@ -15,7 +15,7 @@


 #define PLUGIN_VERSION 0x104
-#define PLUGIN_STR_VERSION "1.4.5"
+#define PLUGIN_STR_VERSION "1.4.6"

 #define _my_thread_var loc_thread_var

@@ -2022,10 +2022,14 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
  update_connection_info(cn, event_class, ev, &after_action);

  if (!logging)
+  {
+    if (cn)
+      cn->log_always= 0;
    goto exit_func;
+  }

  if (event_class == MYSQL_AUDIT_GENERAL_CLASS && FILTER(EVENT_QUERY) &&
-      cn && do_log_user(cn->user))
+      cn && (cn->log_always || do_log_user(cn->user)))
  {
    const struct mysql_event_general *event =
      (const struct mysql_event_general *) ev;
@@ -2038,6 +2042,7 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
    {
      log_statement(cn, event, "QUERY");
      cn->query_length= 0; /* So the log_current_query() won't log this again. */
+      cn->log_always= 0;
    }
  }
  else if (event_class == MYSQL_AUDIT_TABLE_CLASS && FILTER(EVENT_TABLE) && cn)
@@ -2108,8 +2113,6 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
      break;
    }
  }
-  if (cn)
-    cn->log_always= 0;
  flogger_mutex_unlock(&lock_operations);
 }

@@ -2553,8 +2556,7 @@ static void log_current_query(MYSQL_THD thd)
  if (!thd)
    return;
  cn= get_loc_info(thd);
-  if (!ci_needs_setup(cn) && cn->query_length &&
-      FILTER(EVENT_QUERY) && do_log_user(cn->user))
+  if (!ci_needs_setup(cn) && cn->query_length)
  {
    cn->log_always= 1;
    log_statement_ex(cn, cn->query_time, thd_get_thread_id(thd),
@@ -2814,6 +2816,7 @@ static void update_logging(MYSQL_THD thd,
    {
      CLIENT_ERROR(1, "Logging was disabled.", MYF(ME_JUST_WARNING));
    }
+    mark_always_logged(thd);
  }
  else
  {