database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-12-24 11:21:21 +03:00
Code Activity

Bug #14211140: CRASH WHEN GRANTING OR REVOKING PROXY

Browse Source 
PRIVILEGES

Description: (user,host) pair from security context is used
             privilege checking at the time of granting or
             revoking proxy privileges. This creates problem
             when server is started with
             --skip-name-resolve option because host will not
             contain any value. Checks should be dependent on
             consistent values regardless the way server is
             started. Further, privilege check should use
             (priv_user,priv_host) pair rather than values
             obtained from inbound connection because
             this pair represents the correct account context
             obtained from mysql.user table.
This commit is contained in:
Harin Vadodaria
2012-10-09 18:15:40 +05:30
parent d5d53d1902
commit 5427d33e62
3 changed files with 47 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
mysql-test/t/plugin_auth.test
View File

@@ -179,21 +179,35 @@ GRANT PROXY ON ''@'' TO grant_plug;
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
GRANT PROXY ON grant_plug TO grant_plug_dest;
--echo this should fail : same user, but on a different host
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
# Security context in THD contains two pairs of (user,host)
# 1. (user,host) pair referring to inbound connection
# 2. (priv_user,priv_host) pair obtained from mysql.user table after doing
# authnetication of incoming connection.
# Granting/revoking proxy privileges, privileges should be checked wrt
# (priv_user, priv_host) tuple that is obtained from mysql.user table
# Following is a valid grant because effective user of connection is
# grant_plug_dest@% and statement is trying to grant proxy on the same
# user.
--echo This is a valid grant
GRANT PROXY ON grant_plug_dest TO grant_plug;
REVOKE PROXY ON grant_plug_dest FROM grant_plug;
--echo this should work : same user
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug_dest2;
REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug_dest2;
GRANT PROXY ON grant_plug_dest TO grant_plug_dest2;
REVOKE PROXY ON grant_plug_dest FROM grant_plug_dest2;
--echo this should work : same user
# grant_plug_dest@localhost is not the same as grant_plug_dest@%
# so following grant/revoke should fail
--echo this should fail : not the same user
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION;
--echo this should fail : not the same user
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug;
--echo this should fail : can't create users
--error ER_CANT_CREATE_USER_WITH_GRANT
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug@localhost;
GRANT PROXY ON grant_plug_dest TO grant_plug@localhost;
connection default;
--echo in default connection