diff options
| author | Tatiana A. Nurnberg <azundris@mysql.com> | 2009-03-25 17:42:34 +0100 |
|---|---|---|
| committer | Tatiana A. Nurnberg <azundris@mysql.com> | 2009-03-25 17:42:34 +0100 |
| commit | 4f5f7f353ac4783fae7aa0bff891d1325177cc82 (patch) | |
| tree | c5e1fcdb967de22a0abda1f95555773687774a41 | |
| parent | 67f9a6d1782ff9f00769816fdf3dfb1e9763bba7 (diff) | |
| parent | e46c139dd81081aceb27902ee4b632904cae292b (diff) | |
| download | mariadb-git-4f5f7f353ac4783fae7aa0bff891d1325177cc82.tar.gz | |
Bug#43748: crash when non-super user tries to kill the replication threads
manual merge. also adds test specific to 5.1+
mysql-test/suite/rpl/r/rpl_temporary.result:
show that a non-privileged user trying to
kill system-threads no longer crashes the
server. test in 5.1+ only.
mysql-test/suite/rpl/t/rpl_temporary.test:
show that a non-privileged user trying to
kill system-threads no longer crashes the
server. test in 5.1+ only.
sql/sql_class.cc:
manual merge
sql/sql_class.h:
manual merge
sql/sql_parse.cc:
manual merge
| -rw-r--r-- | mysql-test/suite/rpl/r/rpl_temporary.result | 10 | ||||
| -rw-r--r-- | mysql-test/suite/rpl/t/rpl_temporary.test | 38 | ||||
| -rw-r--r-- | sql/sql_class.cc | 8 | ||||
| -rw-r--r-- | sql/sql_class.h | 1 | ||||
| -rw-r--r-- | sql/sql_parse.cc | 20 |
5 files changed, 76 insertions, 1 deletions
diff --git a/mysql-test/suite/rpl/r/rpl_temporary.result b/mysql-test/suite/rpl/r/rpl_temporary.result index 568d5368adb..c3b228e6089 100644 --- a/mysql-test/suite/rpl/r/rpl_temporary.result +++ b/mysql-test/suite/rpl/r/rpl_temporary.result @@ -108,3 +108,13 @@ select * from t1; a 1 drop table t1; +Bug#43748 +make a non-privileged user on slave. +FLUSH PRIVILEGES; +GRANT USAGE ON *.* TO user43748@127.0.0.1 IDENTIFIED BY 'meow'; +try to KILL system-thread as non-privileged user. +KILL `select id from information_schema.processlist where command='Binlog Dump'`; +ERROR HY000: You are not owner of thread `select id from information_schema.processlist where command='Binlog Dump'` +throw out test-user on slave. +DROP USER user43748@127.0.0.1; +done. back to master. diff --git a/mysql-test/suite/rpl/t/rpl_temporary.test b/mysql-test/suite/rpl/t/rpl_temporary.test index 0bf3ecf97a2..a236bcf3b7b 100644 --- a/mysql-test/suite/rpl/t/rpl_temporary.test +++ b/mysql-test/suite/rpl/t/rpl_temporary.test @@ -222,4 +222,42 @@ drop table t1; # Delete the anonymous users source include/delete_anonymous_users.inc; + + +# +# Bug#43748: crash when non-super user tries to kill the replication threads +# + +--echo Bug#43748 + +connection slave; + +--echo make a non-privileged user on slave. + +FLUSH PRIVILEGES; +GRANT USAGE ON *.* TO user43748@127.0.0.1 IDENTIFIED BY 'meow'; + +let $id = `SELECT id FROM information_schema.processlist WHERE user='system user' LIMIT 1`; + +connect (cont43748,127.0.0.1,user43748,meow,test,$SLAVE_MYPORT,); +connection cont43748; + +--echo try to KILL system-thread as non-privileged user. + +--replace_result $id "`select id from information_schema.processlist where command='Binlog Dump'`" +--error ER_KILL_DENIED_ERROR +eval KILL $id; + +disconnect cont43748; + +connection slave; + +--echo throw out test-user on slave. +DROP USER user43748@127.0.0.1; + +connection master; +--echo done. back to master. + + + # End of tests diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 945a0484068..4f92d3aea10 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -2805,6 +2805,14 @@ Security_context::restore_security_context(THD *thd, } #endif + +bool Security_context::user_matches(Security_context *them) +{ + return ((user != NULL) && (them->user != NULL) && + !strcmp(user, them->user)); +} + + /**************************************************************************** Handling of open and locked tables states. diff --git a/sql/sql_class.h b/sql/sql_class.h index 304937101c4..148e4b86e9e 100644 --- a/sql/sql_class.h +++ b/sql/sql_class.h @@ -813,6 +813,7 @@ public: void restore_security_context(THD *thd, Security_context *backup); #endif + bool user_matches(Security_context *); }; diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 94725b1b53f..d1296c4127d 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -6890,8 +6890,26 @@ uint kill_one_thread(THD *thd, ulong id, bool only_kill_query) VOID(pthread_mutex_unlock(&LOCK_thread_count)); if (tmp) { + + /* + If we're SUPER, we can KILL anything, including system-threads. + No further checks. + + KILLer: thd->security_ctx->user could in theory be NULL while + we're still in "unauthenticated" state. This is a theoretical + case (the code suggests this could happen, so we play it safe). + + KILLee: tmp->security_ctx->user will be NULL for system threads. + We need to check so Jane Random User doesn't crash the server + when trying to kill a) system threads or b) unauthenticated users' + threads (Bug#43748). + + If user of both killer and killee are non-NULL, proceed with + slayage if both are string-equal. + */ + if ((thd->security_ctx->master_access & SUPER_ACL) || - !strcmp(thd->security_ctx->user, tmp->security_ctx->user)) + thd->security_ctx->user_matches(tmp->security_ctx)) { tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION); error=0; |