Commit d4e9a50e authored by Alexey Botchkov's avatar Alexey Botchkov

MDEV-17456 Malicious SUPER user can possibly change audit log configuration without leaving traces.

Fix for the SET GLOBAL server_audit_loggin=on; added.
parent 395ce1dc
...@@ -271,6 +271,7 @@ TIME,HOSTNAME,root,localhost,ID,0,CONNECT,mysql,,0 ...@@ -271,6 +271,7 @@ TIME,HOSTNAME,root,localhost,ID,0,CONNECT,mysql,,0
TIME,HOSTNAME,root,localhost,ID,0,DISCONNECT,mysql,,0 TIME,HOSTNAME,root,localhost,ID,0,DISCONNECT,mysql,,0
TIME,HOSTNAME,no_such_user,localhost,ID,0,FAILED_CONNECT,,,ID TIME,HOSTNAME,no_such_user,localhost,ID,0,FAILED_CONNECT,,,ID
TIME,HOSTNAME,no_such_user,localhost,ID,0,DISCONNECT,,,0 TIME,HOSTNAME,no_such_user,localhost,ID,0,DISCONNECT,,,0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_incl_users=\'odin, dva, tri\'',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_incl_users=\'odin, root, dva, tri\'',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_incl_users=\'odin, root, dva, tri\'',0
TIME,HOSTNAME,root,localhost,ID,ID,CREATE,test,t2, TIME,HOSTNAME,root,localhost,ID,ID,CREATE,test,t2,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'create table t2 (id int)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'create table t2 (id int)',0
...@@ -381,6 +382,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *** ...@@ -381,6 +382,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY ***
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'insert into t1 values (1), (2)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'insert into t1 values (1), (2)',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= off',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= off',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= on',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
#define PLUGIN_VERSION 0x104 #define PLUGIN_VERSION 0x104
#define PLUGIN_STR_VERSION "1.4.5" #define PLUGIN_STR_VERSION "1.4.6"
#define _my_thread_var loc_thread_var #define _my_thread_var loc_thread_var
...@@ -2022,10 +2022,14 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev) ...@@ -2022,10 +2022,14 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
update_connection_info(cn, event_class, ev, &after_action); update_connection_info(cn, event_class, ev, &after_action);
if (!logging) if (!logging)
{
if (cn)
cn->log_always= 0;
goto exit_func; goto exit_func;
}
if (event_class == MYSQL_AUDIT_GENERAL_CLASS && FILTER(EVENT_QUERY) && if (event_class == MYSQL_AUDIT_GENERAL_CLASS && FILTER(EVENT_QUERY) &&
cn && do_log_user(cn->user)) cn && (cn->log_always || do_log_user(cn->user)))
{ {
const struct mysql_event_general *event = const struct mysql_event_general *event =
(const struct mysql_event_general *) ev; (const struct mysql_event_general *) ev;
...@@ -2038,6 +2042,7 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev) ...@@ -2038,6 +2042,7 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
{ {
log_statement(cn, event, "QUERY"); log_statement(cn, event, "QUERY");
cn->query_length= 0; /* So the log_current_query() won't log this again. */ cn->query_length= 0; /* So the log_current_query() won't log this again. */
cn->log_always= 0;
} }
} }
else if (event_class == MYSQL_AUDIT_TABLE_CLASS && FILTER(EVENT_TABLE) && cn) else if (event_class == MYSQL_AUDIT_TABLE_CLASS && FILTER(EVENT_TABLE) && cn)
...@@ -2108,8 +2113,6 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev) ...@@ -2108,8 +2113,6 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
break; break;
} }
} }
if (cn)
cn->log_always= 0;
flogger_mutex_unlock(&lock_operations); flogger_mutex_unlock(&lock_operations);
} }
...@@ -2553,8 +2556,7 @@ static void log_current_query(MYSQL_THD thd) ...@@ -2553,8 +2556,7 @@ static void log_current_query(MYSQL_THD thd)
if (!thd) if (!thd)
return; return;
cn= get_loc_info(thd); cn= get_loc_info(thd);
if (!ci_needs_setup(cn) && cn->query_length && if (!ci_needs_setup(cn) && cn->query_length)
FILTER(EVENT_QUERY) && do_log_user(cn->user))
{ {
cn->log_always= 1; cn->log_always= 1;
log_statement_ex(cn, cn->query_time, thd_get_thread_id(thd), log_statement_ex(cn, cn->query_time, thd_get_thread_id(thd),
...@@ -2814,6 +2816,7 @@ static void update_logging(MYSQL_THD thd, ...@@ -2814,6 +2816,7 @@ static void update_logging(MYSQL_THD thd,
{ {
CLIENT_ERROR(1, "Logging was disabled.", MYF(ME_JUST_WARNING)); CLIENT_ERROR(1, "Logging was disabled.", MYF(ME_JUST_WARNING));
} }
mark_always_logged(thd);
} }
else else
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment