diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 829a4aed52a..10c14d5a4a8 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -952,30 +952,33 @@ static bool fix_user_plugin_ptr(ACL_USER *user) */ static bool fix_lex_user(LEX_USER *user) { - size_t check_length= 0; + size_t check_length; + if (my_strcasecmp(system_charset_info, user->plugin.str, native_password_plugin_name.str) == 0) - { check_length= SCRAMBLED_PASSWORD_CHAR_LENGTH; - } else if (my_strcasecmp(system_charset_info, user->plugin.str, old_password_plugin_name.str) == 0) - { check_length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323; + else + if (user->plugin.length) + return false; // nothing else to do + else + if (user->auth.length == SCRAMBLED_PASSWORD_CHAR_LENGTH_323) + check_length= 0; // length is valid, no need to re-check + else + check_length= SCRAMBLED_PASSWORD_CHAR_LENGTH; + + if (check_length && user->auth.length && user->auth.length != check_length) + { + my_error(ER_PASSWD_LENGTH, MYF(0), check_length); + return true; } - if (check_length) - { - user->password= user->auth.length ? user->auth : null_lex_str; - user->plugin= empty_lex_str; - user->auth= empty_lex_str; - if (user->password.length && user->password.length != check_length) - { - my_error(ER_PASSWD_LENGTH, MYF(0), check_length); - return true; - } - } + user->password= user->auth.length ? user->auth : null_lex_str; + user->plugin= empty_lex_str; + user->auth= empty_lex_str; return false; } @@ -5604,8 +5607,11 @@ static bool has_auth(LEX_USER *user, LEX *lex) lex->mqh.specified_limits; } -static bool copy_and_check_auth(LEX_USER *to, LEX_USER *from, LEX *lex) +static bool copy_and_check_auth(LEX_USER *to, LEX_USER *from, THD *thd) { + if (fix_lex_user(from)) + return true; + if (to != from) { /* preserve authentication information, if LEX_USER was reallocated */ @@ -5614,14 +5620,13 @@ static bool copy_and_check_auth(LEX_USER *to, LEX_USER *from, LEX *lex) to->auth= from->auth; } - /* - Specifying authentication clauses forces the name to be interpreted - as a user, not a role. See also check_change_password() - */ - if (to->is_role() && has_auth(to, lex)) + // if changing auth for an existing user + if (has_auth(to, thd->lex) && find_user_exact(to->host.str, to->user.str)) { - my_error(ER_PASSWORD_NO_MATCH, MYF(0)); - return true; + mysql_mutex_unlock(&acl_cache->lock); + bool res= check_alter_user(thd, to->host.str, to->user.str); + mysql_mutex_lock(&acl_cache->lock); + return res; } return false; @@ -5767,10 +5772,8 @@ int mysql_table_grant(THD *thd, TABLE_LIST *table_list, continue; } /* Create user if needed */ - if (copy_and_check_auth(Str, tmp_Str, thd->lex)) - error= -1; - else - error=replace_user_table(thd, tables[USER_TABLE].table, *Str, + error= copy_and_check_auth(Str, tmp_Str, thd) || + replace_user_table(thd, tables[USER_TABLE].table, *Str, 0, revoke_grant, create_new_users, MY_TEST(thd->variables.sql_mode & MODE_NO_AUTO_CREATE_USER)); @@ -5943,7 +5946,7 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc, continue; } /* Create user if needed */ - if (copy_and_check_auth(Str, tmp_Str, thd->lex) || + if (copy_and_check_auth(Str, tmp_Str, thd) || replace_user_table(thd, tables[USER_TABLE].table, *Str, 0, revoke_grant, create_new_users, MY_TEST(thd->variables.sql_mode & @@ -6219,8 +6222,7 @@ bool mysql_grant_role(THD *thd, List &list, bool revoke) user_combo.host = hostname; user_combo.user = username; - /* create the user if it does not exist */ - if (copy_and_check_auth(&user_combo, &user_combo, thd->lex) || + if (copy_and_check_auth(&user_combo, &user_combo, thd) || replace_user_table(thd, tables[USER_TABLE].table, user_combo, 0, false, create_new_user, no_auto_create_user)) @@ -6388,16 +6390,8 @@ bool mysql_grant(THD *thd, const char *db, List &list, continue; } - if (fix_lex_user(tmp_Str)) - { - result= TRUE; - continue; - } - - if (copy_and_check_auth(Str, tmp_Str, thd->lex)) - result= true; - else - if (replace_user_table(thd, tables[USER_TABLE].table, *Str, + if (copy_and_check_auth(Str, tmp_Str, thd) || + replace_user_table(thd, tables[USER_TABLE].table, *Str, (!db ? rights : 0), revoke_grant, create_new_users, MY_TEST(thd->variables.sql_mode & MODE_NO_AUTO_CREATE_USER))) @@ -9998,7 +9992,7 @@ bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, thd->make_lex_string(&combo->user, combo->user.str, strlen(combo->user.str)); thd->make_lex_string(&combo->host, combo->host.str, strlen(combo->host.str)); - combo->password= empty_lex_str; + combo->password= null_lex_str; combo->plugin= empty_lex_str; combo->auth= empty_lex_str; @@ -10009,12 +10003,12 @@ bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, if (au->salt_len == SCRAMBLE_LENGTH) { make_password_from_salt(passwd_buff, au->salt); - combo->password.length= SCRAMBLED_PASSWORD_CHAR_LENGTH; + combo->auth.length= SCRAMBLED_PASSWORD_CHAR_LENGTH; } else if (au->salt_len == SCRAMBLE_LENGTH_323) { make_password_from_salt_323(passwd_buff, (ulong *) au->salt); - combo->password.length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323; + combo->auth.length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323; } else { @@ -10022,7 +10016,7 @@ bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, ER(ER_PASSWD_LENGTH), SCRAMBLED_PASSWORD_CHAR_LENGTH); return TRUE; } - combo->password.str= passwd_buff; + combo->auth.str= passwd_buff; } if (au->plugin.str != native_password_plugin_name.str && diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 68c521af33b..63a1d69a083 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -4591,29 +4591,6 @@ end_with_restore_list: lex->grant & GRANT_ACL)) goto error; } - else if (user->password.str) - { - // Are we trying to change a password of another user? - const char *hostname= user->host.str, *username=user->user.str; - bool userok; - if (username == current_user.str) - { - username= thd->security_ctx->priv_user; - hostname= thd->security_ctx->priv_host; - userok= true; - } - else - { - if (!hostname) - hostname= host_not_specified.str; - userok= is_acl_user(hostname, username); - } - - if (userok && check_change_password (thd, hostname, username, - user->password.str, - user->password.length)) - goto error; - } } } if (first_table) diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy index 32c586ab20d..d693c36177e 100644 --- a/sql/sql_yacc.yy +++ b/sql/sql_yacc.yy @@ -15534,8 +15534,8 @@ grant_user: if (buff == NULL) MYSQL_YYABORT; my_make_scrambled_password_323(buff, $4.str, $4.length); - $1->password.str= buff; - $1->password.length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323; + $1->auth.str= buff; + $1->auth.length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323; } else { @@ -15544,15 +15544,15 @@ grant_user: if (buff == NULL) MYSQL_YYABORT; my_make_scrambled_password(buff, $4.str, $4.length); - $1->password.str= buff; - $1->password.length= SCRAMBLED_PASSWORD_CHAR_LENGTH; + $1->auth.str= buff; + $1->auth.length= SCRAMBLED_PASSWORD_CHAR_LENGTH; } } } | user IDENTIFIED_SYM BY PASSWORD TEXT_STRING { $$= $1; - $1->password= $5; + $1->auth= $5; } | user IDENTIFIED_SYM via_or_with ident_or_text {