diff options
| -rw-r--r-- | mysql-test/r/failed_auth_3909.result | 21 | ||||
| -rw-r--r-- | mysql-test/t/failed_auth_3909.test | 37 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 47 |
3 files changed, 97 insertions, 8 deletions
diff --git a/mysql-test/r/failed_auth_3909.result b/mysql-test/r/failed_auth_3909.result new file mode 100644 index 00000000000..36c812b6932 --- /dev/null +++ b/mysql-test/r/failed_auth_3909.result @@ -0,0 +1,21 @@ +optimize table mysql.user; +Table Op Msg_type Msg_text +mysql.user optimize status OK +insert mysql.user (user,plugin) values ('foo','bar'),('bar','bar'),('baz','bar'); +Warnings: +Warning 1364 Field 'ssl_cipher' doesn't have a default value +Warning 1364 Field 'x509_issuer' doesn't have a default value +Warning 1364 Field 'x509_subject' doesn't have a default value +Warning 1364 Field 'auth_string' doesn't have a default value +flush privileges; +connect(localhost,u1,,test,MASTER_PORT,MASTER_SOCKET); +ERROR HY000: Plugin 'bar' is not loaded +connect(localhost,u2,,test,MASTER_PORT,MASTER_SOCKET); +ERROR 28000: Access denied for user 'u2'@'localhost' (using password: NO) +connect(localhost,u2,password,test,MASTER_PORT,MASTER_SOCKET); +ERROR 28000: Access denied for user 'u2'@'localhost' (using password: YES) +ERROR HY000: Plugin 'bar' is not loaded +ERROR 28000: Access denied for user 'u2'@'localhost' (using password: NO) +ERROR 28000: Access denied for user 'u2'@'localhost' (using password: YES) +delete from mysql.user where plugin = 'bar'; +flush privileges; diff --git a/mysql-test/t/failed_auth_3909.test b/mysql-test/t/failed_auth_3909.test new file mode 100644 index 00000000000..3179794d155 --- /dev/null +++ b/mysql-test/t/failed_auth_3909.test @@ -0,0 +1,37 @@ +source include/not_embedded.inc; + +# +# MDEV-3909 remote user enumeration +# +# verify that for some failed login attemps (with wrong user names) +# the server requests a plugin +# +optimize table mysql.user; +insert mysql.user (user,plugin) values ('foo','bar'),('bar','bar'),('baz','bar'); +flush privileges; + +--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT +--error ER_PLUGIN_IS_NOT_LOADED +connect (fail,localhost,u1); + +--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT +--error ER_ACCESS_DENIED_ERROR +connect (fail,localhost,u2); + +--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT +--error ER_ACCESS_DENIED_ERROR +connect (fail,localhost,u2,password); + +--error ER_PLUGIN_IS_NOT_LOADED +change_user u1; + +--error ER_ACCESS_DENIED_ERROR +change_user u2; + +--error ER_ACCESS_DENIED_ERROR +change_user u2,password; + +delete from mysql.user where plugin = 'bar'; +flush privileges; + + diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 547572c5db6..29922aa5321 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -7056,6 +7056,7 @@ struct MPVIO_EXT : public MYSQL_PLUGIN_VIO } cached_server_packet; int packets_read, packets_written; ///< counters for send/received packets uint connect_errors; ///< if there were connect errors for this host + bool make_it_fail; /** when plugin returns a failure this tells us what really happened */ enum { SUCCESS, FAILURE, RESTART } status; }; @@ -7322,14 +7323,14 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio, /** Finds acl entry in user database for authentication purposes. - Finds a user and copies it into mpvio. Reports an authentication - failure if a user is not found. + Finds a user and copies it into mpvio. Creates a fake user + if no matching user account is found. @note find_acl_user is not the same, because it doesn't take into account the case when user is not empty, but acl_user->user is empty @retval 0 found - @retval 1 not found + @retval 1 error */ static bool find_mpvio_user(MPVIO_EXT *mpvio, Security_context *sctx) @@ -7351,8 +7352,27 @@ static bool find_mpvio_user(MPVIO_EXT *mpvio, Security_context *sctx) if (!mpvio->acl_user) { - login_failed_error(mpvio->thd); - return 1; + /* + A matching user was not found. Fake it. Take any user, make the + authentication fail later. + This way we get a realistically looking failure, with occasional + "change auth plugin" requests even for nonexistent users. The ratio + of "change auth plugin" request will be the same for real and + nonexistent users. + Note, that we cannot pick any user at random, it must always be + the same user account for the incoming sctx->user name. + */ + ulong nr1=1, nr2=4; + CHARSET_INFO *cs= &my_charset_latin1; + cs->coll->hash_sort(cs, (uchar*) sctx->user, strlen(sctx->user), &nr1, &nr2); + + pthread_mutex_lock(&acl_cache->lock); + uint i= nr1 % acl_users.elements; + ACL_USER *acl_user_tmp= dynamic_element(&acl_users, i, ACL_USER*); + mpvio->acl_user= acl_user_tmp->copy(mpvio->thd->mem_root); + pthread_mutex_unlock(&acl_cache->lock); + + mpvio->make_it_fail= true; } /* user account requires non-default plugin and the client is too old */ @@ -7763,8 +7783,8 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio, mpvio->cached_server_packet.pkt_len)) return packet_error; - passwd_len= my_net_read(&mpvio->thd->net); - passwd = (char*)mpvio->thd->net.read_pos; + passwd_len= my_net_read(&thd->net); + passwd= (char*)thd->net.read_pos; } *buff= (uchar*)passwd; @@ -7868,6 +7888,10 @@ static int server_mpvio_read_packet(MYSQL_PLUGIN_VIO *param, uchar **buf) *buf= (uchar*)mpvio->cached_client_reply.pkt; mpvio->cached_client_reply.pkt= 0; mpvio->packets_read++; + + if (mpvio->make_it_fail) + goto err; + return (int)mpvio->cached_client_reply.pkt_len; } /* @@ -7901,13 +7925,19 @@ static int server_mpvio_read_packet(MYSQL_PLUGIN_VIO *param, uchar **buf) else *buf = mpvio->thd->net.read_pos; + if (mpvio->make_it_fail) + goto err; + return (int)pkt_len; err: if (mpvio->status == MPVIO_EXT::FAILURE && !mpvio->thd->is_error()) { inc_host_errors(&mpvio->thd->net.vio->remote.sin_addr); - my_error(ER_HANDSHAKE_ERROR, MYF(0)); + if (mpvio->make_it_fail) + login_failed_error(mpvio->thd); + else + my_error(ER_HANDSHAKE_ERROR, MYF(0)); } return -1; } @@ -8116,6 +8146,7 @@ bool acl_authenticate(THD *thd, uint connect_errors, mpvio.thd= thd; mpvio.connect_errors= connect_errors; mpvio.status= MPVIO_EXT::FAILURE; + mpvio.make_it_fail= false; if (command == COM_CHANGE_USER) { |