diff options
| -rw-r--r-- | sql/ha_innodb.cc | 2 | ||||
| -rw-r--r-- | sql/item_func.cc | 2 | ||||
| -rw-r--r-- | sql/item_strfunc.cc | 2 | ||||
| -rw-r--r-- | sql/log.cc | 11 | ||||
| -rw-r--r-- | sql/mysql_priv.h | 4 | ||||
| -rw-r--r-- | sql/mysqld.cc | 4 | ||||
| -rw-r--r-- | sql/sp_head.cc | 16 | ||||
| -rw-r--r-- | sql/sp_head.h | 11 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 68 | ||||
| -rw-r--r-- | sql/sql_acl.h | 4 | ||||
| -rw-r--r-- | sql/sql_class.cc | 6 | ||||
| -rw-r--r-- | sql/sql_class.h | 12 | ||||
| -rw-r--r-- | sql/sql_db.cc | 6 | ||||
| -rw-r--r-- | sql/sql_parse.cc | 105 | ||||
| -rw-r--r-- | sql/sql_show.cc | 14 | ||||
| -rw-r--r-- | sql/sql_yacc.yy | 4 |
16 files changed, 151 insertions, 120 deletions
diff --git a/sql/ha_innodb.cc b/sql/ha_innodb.cc index fd5db6da722..5ded583ded6 100644 --- a/sql/ha_innodb.cc +++ b/sql/ha_innodb.cc @@ -563,7 +563,7 @@ innobase_mysql_print_thd( use the default max length */ { const THD* thd; - const st_security_context *sctx; + const Security_context *sctx; const char* s; thd = (const THD*) input_thd; diff --git a/sql/item_func.cc b/sql/item_func.cc index 338bb4db4fe..95ac2f9a697 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -4713,7 +4713,7 @@ Item_func_sp::execute(Item **itp) Sub_statement_state statement_state; #ifndef NO_EMBEDDED_ACCESS_CHECKS - st_security_context *save_ctx; + Security_context *save_ctx; #endif if (! m_sp && ! (m_sp= sp_find_function(thd, m_name, TRUE))) diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index 6a51ecd307d..1876a5ecaf7 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -1608,7 +1608,7 @@ String *Item_func_user::val_str(String *str) else { user= thd->main_security_ctx.user; - host= thd->main_security_ctx.priv_host; + host= thd->main_security_ctx.host; } // For system threads (e.g. replication SQL thread) user may be empty diff --git a/sql/log.cc b/sql/log.cc index 032ac392c00..8010d03b46a 100644 --- a/sql/log.cc +++ b/sql/log.cc @@ -1915,6 +1915,7 @@ bool MYSQL_LOG::write(THD *thd,const char *query, uint query_length, } if (!(specialflag & SPECIAL_SHORT_LOG_FORMAT) || query_start_arg) { + Security_context *sctx= thd->security_ctx; current_time=time(NULL); if (current_time != last_time) { @@ -1935,11 +1936,11 @@ bool MYSQL_LOG::write(THD *thd,const char *query, uint query_length, tmp_errno=errno; } if (my_b_printf(&log_file, "# User@Host: %s[%s] @ %s [%s]\n", - thd->security_ctx->priv_user ? - thd->security_ctx->priv_user : "", - thd->security_ctx->user ? thd->security_ctx->user : "", - thd->security_ctx->host ? thd->security_ctx->host : "", - thd->security_ctx->ip ? thd->security_ctx->ip : "") == + sctx->priv_user ? + sctx->priv_user : "", + sctx->user ? sctx->user : "", + sctx->host ? sctx->host : "", + sctx->ip ? sctx->ip : "") == (uint) -1) tmp_errno=errno; } diff --git a/sql/mysql_priv.h b/sql/mysql_priv.h index 059b9cca48e..fc7bac89274 100644 --- a/sql/mysql_priv.h +++ b/sql/mysql_priv.h @@ -484,7 +484,7 @@ typedef my_bool (*qc_engine_callback)(THD *thd, char *table_key, #include "protocol.h" #include "sql_udf.h" class user_var_entry; -class st_security_context; +class Security_context; enum enum_var_type { OPT_DEFAULT= 0, OPT_SESSION, OPT_GLOBAL @@ -516,7 +516,7 @@ bool delete_precheck(THD *thd, TABLE_LIST *tables); bool insert_precheck(THD *thd, TABLE_LIST *tables); bool create_table_precheck(THD *thd, TABLE_LIST *tables, TABLE_LIST *create_table); -bool default_view_definer(st_security_context *sctx, st_lex_user *definer); +bool default_view_definer(Security_context *sctx, st_lex_user *definer); enum enum_mysql_completiontype { diff --git a/sql/mysqld.cc b/sql/mysqld.cc index daabb53a39d..c76481f6583 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -777,8 +777,8 @@ static void close_connections(void) if (global_system_variables.log_warnings) sql_print_warning(ER(ER_FORCING_CLOSE),my_progname, tmp->thread_id, - (tmp->security_ctx->user ? - tmp->security_ctx->user : "")); + (tmp->main_security_ctx.user ? + tmp->main_security_ctx.user : "")); close_connection(tmp,0,0); } #endif diff --git a/sql/sp_head.cc b/sql/sp_head.cc index 0d481047849..157672f2a86 100644 --- a/sql/sp_head.cc +++ b/sql/sp_head.cc @@ -2648,16 +2648,14 @@ sp_instr_error::print(String *str) #ifndef NO_EMBEDDED_ACCESS_CHECKS bool -sp_change_security_context(THD *thd, sp_head *sp, st_security_context **backup) +sp_change_security_context(THD *thd, sp_head *sp, Security_context **backup) { - bool changed= (sp->m_chistics->suid != SP_IS_NOT_SUID && - (strcmp(sp->m_definer_user.str, - thd->security_ctx->priv_user) || - my_strcasecmp(system_charset_info, sp->m_definer_host.str, - thd->security_ctx->priv_host))); - *backup= 0; - if (changed) + if (sp->m_chistics->suid != SP_IS_NOT_SUID && + (strcmp(sp->m_definer_user.str, + thd->security_ctx->priv_user) || + my_strcasecmp(system_charset_info, sp->m_definer_host.str, + thd->security_ctx->priv_host))) { if (acl_getroot_no_password(&sp->m_security_ctx, sp->m_definer_user.str, sp->m_definer_host.str, @@ -2675,7 +2673,7 @@ sp_change_security_context(THD *thd, sp_head *sp, st_security_context **backup) } void -sp_restore_security_context(THD *thd, st_security_context *backup) +sp_restore_security_context(THD *thd, Security_context *backup) { if (backup) thd->security_ctx= backup; diff --git a/sql/sp_head.h b/sql/sp_head.h index ccf8c48a5eb..59169dc35cd 100644 --- a/sql/sp_head.h +++ b/sql/sp_head.h @@ -151,8 +151,11 @@ public: // Pointers set during parsing uchar *m_param_begin, *m_param_end, *m_body_begin; - /* security context for SP procedure/function in case we switch it*/ - st_security_context m_security_ctx; + /* + Security context for stored routine which should be run under + definer privileges. + */ + Security_context m_security_ctx; static void * operator new(size_t size); @@ -1023,9 +1026,9 @@ private: #ifndef NO_EMBEDDED_ACCESS_CHECKS bool sp_change_security_context(THD *thd, sp_head *sp, - st_security_context **backup); + Security_context **backup); void -sp_restore_security_context(THD *thd, st_security_context *backup); +sp_restore_security_context(THD *thd, Security_context *backup); #endif /* NO_EMBEDDED_ACCESS_CHECKS */ TABLE_LIST * diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 95f7fed358d..d6c473ec8bc 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -719,7 +719,7 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh, ulong user_access= NO_ACCESS; int res= 1; ACL_USER *acl_user= 0; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; DBUG_ENTER("acl_getroot"); if (!initialized) @@ -728,6 +728,7 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh, here if mysqld's been started with --skip-grant-tables option. */ sctx->skip_grants(); + bzero((char*) mqh, sizeof(*mqh)); DBUG_RETURN(0); } @@ -906,13 +907,24 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh, /* - * This is like acl_getroot() above, but it doesn't check password, - * and we don't care about the user resources. - * Used to get access rights for SQL SECURITY DEFINER invocation of - * stored procedures. - */ -int acl_getroot_no_password(st_security_context *sctx, char *user, char *host, - char *ip, char *db) + This is like acl_getroot() above, but it doesn't check password, + and we don't care about the user resources. + + SYNOPSIS + acl_getroot_no_password() + sctx Context which should be initialized + user user name + host host name + ip IP + db current data base name + + RETURN + FALSE OK + TRUE Error +*/ + +bool acl_getroot_no_password(Security_context *sctx, char *user, char *host, + char *ip, char *db) { int res= 1; uint i; @@ -930,7 +942,7 @@ int acl_getroot_no_password(st_security_context *sctx, char *user, char *host, here if mysqld's been started with --skip-grant-tables option. */ sctx->skip_grants(); - DBUG_RETURN(0); + DBUG_RETURN(FALSE); } VOID(pthread_mutex_lock(&acl_cache->lock)); @@ -1649,7 +1661,7 @@ static bool update_user_table(THD *thd, TABLE *table, static bool test_if_create_new_users(THD *thd) { - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; bool create_new_users= test(sctx->master_access & INSERT_ACL) || (!opt_safe_user_create && test(sctx->master_access & CREATE_USER_ACL)); @@ -3493,7 +3505,7 @@ bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables, uint show_table, uint number, bool no_errors) { TABLE_LIST *table; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; DBUG_ENTER("check_grant"); DBUG_ASSERT(number > 0); @@ -3563,7 +3575,7 @@ bool check_grant_column(THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, uint length, uint show_tables) { - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; GRANT_TABLE *grant_table; GRANT_COLUMN *grant_column; ulong want_access= grant->want_privilege & ~grant->privilege; @@ -3623,7 +3635,7 @@ bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant, const char* db_name, const char *table_name, Field_iterator *fields) { - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; GRANT_TABLE *grant_table; GRANT_COLUMN *grant_column; @@ -3683,7 +3695,7 @@ err2: bool check_grant_db(THD *thd,const char *db) { - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; char helping [NAME_LEN+USERNAME_LENGTH+2]; uint len; bool error= 1; @@ -3729,7 +3741,7 @@ bool check_grant_routine(THD *thd, ulong want_access, TABLE_LIST *procs, bool is_proc, bool no_errors) { TABLE_LIST *table; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; char *user= sctx->priv_user; char *host= sctx->priv_host; DBUG_ENTER("check_grant_routine"); @@ -3797,10 +3809,11 @@ bool check_routine_level_acl(THD *thd, const char *db, const char *name, if (grant_option) { GRANT_NAME *grant_proc; + Security_context *sctx= thd->security_ctx; rw_rdlock(&LOCK_grant); - if ((grant_proc= routine_hash_search(thd->security_ctx->priv_host, - thd->security_ctx->ip, db, - thd->security_ctx->priv_user, + if ((grant_proc= routine_hash_search(sctx->priv_host, + sctx->ip, db, + sctx->priv_user, name, is_proc, 0))) no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS); rw_unlock(&LOCK_grant); @@ -3816,7 +3829,7 @@ bool check_routine_level_acl(THD *thd, const char *db, const char *name, ulong get_table_grant(THD *thd, TABLE_LIST *table) { ulong privilege; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; const char *db = table->db ? table->db : thd->db; GRANT_TABLE *grant_table; @@ -3867,9 +3880,10 @@ ulong get_column_grant(THD *thd, GRANT_INFO *grant, /* reload table if someone has modified any grants */ if (grant->version != grant_version) { + Security_context *sctx= thd->security_ctx; grant->grant_table= - table_hash_search(thd->security_ctx->host, thd->security_ctx->ip, - db_name, thd->security_ctx->priv_user, + table_hash_search(sctx->host, sctx->ip, + db_name, sctx->priv_user, table_name, 0); /* purecov: inspected */ grant->version= grant_version; /* purecov: inspected */ } @@ -5439,7 +5453,7 @@ bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name, bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, bool is_proc) { - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; LEX_USER *combo; TABLE_LIST tables[1]; List<LEX_USER> user_list; @@ -5573,7 +5587,7 @@ int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, COND *cond) char buff[100]; TABLE *table= tables->table; bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0); - char *curr_host= thd->security_ctx->get_priv_host(); + char *curr_host= thd->security_ctx->priv_host_name(); DBUG_ENTER("fill_schema_user_privileges"); for (counter=0 ; counter < acl_users.elements ; counter++) @@ -5626,7 +5640,7 @@ int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, COND *cond) char buff[100]; TABLE *table= tables->table; bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0); - char *curr_host= thd->security_ctx->get_priv_host(); + char *curr_host= thd->security_ctx->priv_host_name(); DBUG_ENTER("fill_schema_schema_privileges"); for (counter=0 ; counter < acl_dbs.elements ; counter++) @@ -5681,7 +5695,7 @@ int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, COND *cond) char buff[100]; TABLE *table= tables->table; bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0); - char *curr_host= thd->security_ctx->get_priv_host(); + char *curr_host= thd->security_ctx->priv_host_name(); DBUG_ENTER("fill_schema_table_privileges"); for (index=0 ; index < column_priv_hash.records ; index++) @@ -5743,7 +5757,7 @@ int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond) char buff[100]; TABLE *table= tables->table; bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0); - char *curr_host= thd->security_ctx->get_priv_host(); + char *curr_host= thd->security_ctx->priv_host_name(); DBUG_ENTER("fill_schema_table_privileges"); for (index=0 ; index < column_priv_hash.records ; index++) @@ -5819,7 +5833,7 @@ int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond) void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant, const char *db, const char *table) { - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; /* --skip-grants */ if (!initialized) { diff --git a/sql/sql_acl.h b/sql/sql_acl.h index f62f3c12b28..0e50737f84c 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -181,8 +181,8 @@ ulong acl_get(const char *host, const char *ip, const char *user, const char *db, my_bool db_is_pattern); int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd, uint passwd_len); -int acl_getroot_no_password(st_security_context *sctx, char *user, char *host, - char *ip, char *db); +bool acl_getroot_no_password(Security_context *sctx, char *user, char *host, + char *ip, char *db); bool acl_check_host(const char *host, const char *ip); bool check_change_password(THD *thd, const char *host, const char *user, char *password, uint password_len); diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 85bf520b56e..3d2322f7fff 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -1822,7 +1822,7 @@ void THD::set_status_var_init() } -void st_security_context::init() +void Security_context::init() { host= user= priv_user= ip= 0; host_or_ip= "connecting host"; @@ -1832,7 +1832,7 @@ void st_security_context::init() } -void st_security_context::destroy() +void Security_context::destroy() { // If not pointer to constant if (host != my_localhost) @@ -1843,7 +1843,7 @@ void st_security_context::destroy() } -void st_security_context::skip_grants() +void Security_context::skip_grants() { /* privileges for the user are unknown everything is allowed */ host_or_ip= (char *)""; diff --git a/sql/sql_class.h b/sql/sql_class.h index ddc8b092311..08194d6bd52 100644 --- a/sql/sql_class.h +++ b/sql/sql_class.h @@ -942,15 +942,17 @@ bool xid_cache_insert(XID_STATE *xid_state); void xid_cache_delete(XID_STATE *xid_state); -struct st_security_context { +class Security_context { +public: /* host - host of the client user - user of the client, set to NULL until the user has been read from the connection - priv_user - The user privilege we are using. May be '' for anonymous user. + priv_user - The user privilege we are using. May be "" for anonymous user. ip - client IP */ char *host, *user, *priv_user, *ip; + /* The host privilege we are using */ char priv_host[MAX_HOSTNAME]; /* points to host if host is available, otherwise points to ip */ const char *host_or_ip; @@ -960,7 +962,7 @@ struct st_security_context { void init(); void destroy(); void skip_grants(); - inline char *get_priv_host() + inline char *priv_host_name() { return (*priv_host ? priv_host : (char *)"%"); } @@ -1150,8 +1152,8 @@ public: the slave SQL thread, in sql/slave.cc. */ char *db, *catalog; - st_security_context main_security_ctx; - st_security_context *security_ctx; + Security_context main_security_ctx; + Security_context *security_ctx; /* remote (peer) port */ uint16 peer_port; diff --git a/sql/sql_db.cc b/sql/sql_db.cc index e4d8c1b8164..d89800e34f8 100644 --- a/sql/sql_db.cc +++ b/sql/sql_db.cc @@ -1093,7 +1093,7 @@ bool mysql_change_db(THD *thd, const char *name, bool no_access_check) bool system_db= 0; #ifndef NO_EMBEDDED_ACCESS_CHECKS ulong db_access; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; #endif DBUG_ENTER("mysql_change_db"); DBUG_PRINT("enter",("name: '%s'",name)); @@ -1131,7 +1131,7 @@ bool mysql_change_db(THD *thd, const char *name, bool no_access_check) #ifndef NO_EMBEDDED_ACCESS_CHECKS if (!no_access_check) { - if (test_all_bits(sctx->master_access,DB_ACLS)) + if (test_all_bits(sctx->master_access, DB_ACLS)) db_access=DB_ACLS; else db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname, 0) | @@ -1166,7 +1166,7 @@ end: thd->db_length=db_length; #ifndef NO_EMBEDDED_ACCESS_CHECKS if (!no_access_check) - sctx->db_access=db_access; + sctx->db_access= db_access; #endif if (system_db) { diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index d056215c19b..8f259b21919 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -270,11 +270,10 @@ int check_user(THD *thd, enum enum_server_command command, const char *passwd, uint passwd_len, const char *db, bool check_count) { - st_security_context *sctx= thd->security_ctx; DBUG_ENTER("check_user"); #ifdef NO_EMBEDDED_ACCESS_CHECKS - sctx->master_access= GLOBAL_ACLS; // Full rights + thd->ain_security_ctx.master_access= GLOBAL_ACLS; // Full rights /* Change database if necessary */ if (db && db[0]) { @@ -341,15 +340,17 @@ int check_user(THD *thd, enum enum_server_command command, if (opt_secure_auth_local) { net_printf_error(thd, ER_SERVER_IS_IN_SECURE_AUTH_MODE, - sctx->user, sctx->host_or_ip); + thd->main_security_ctx.user, + thd->main_security_ctx.host_or_ip); mysql_log.write(thd, COM_CONNECT, ER(ER_SERVER_IS_IN_SECURE_AUTH_MODE), - sctx->user, sctx->host_or_ip); + thd->main_security_ctx.user, + thd->main_security_ctx.host_or_ip); DBUG_RETURN(-1); } /* We have to read very specific packet size */ if (send_old_password_request(thd) || my_net_read(net) != SCRAMBLE_LENGTH_323 + 1) - { + { inc_host_errors(&thd->remote.sin_addr); DBUG_RETURN(ER_HANDSHAKE_ERROR); } @@ -361,22 +362,27 @@ int check_user(THD *thd, enum enum_server_command command, /* here res is always >= 0 */ if (res == 0) { - if (!(sctx->master_access & NO_ACCESS)) // authentication is OK + if (!(thd->main_security_ctx.master_access & + NO_ACCESS)) // authentication is OK { DBUG_PRINT("info", ("Capabilities: %d packet_length: %ld Host: '%s' " "Login user: '%s' Priv_user: '%s' Using password: %s " "Access: %u db: '%s'", - thd->client_capabilities, thd->max_client_packet_length, - sctx->host_or_ip, sctx->user, sctx->priv_user, + thd->client_capabilities, + thd->max_client_packet_length, + thd->main_security_ctx.host_or_ip, + thd->main_security_ctx.user, + thd->main_security_ctx.priv_user, passwd_len ? "yes": "no", - sctx->master_access, thd->db ? thd->db : "*none*")); + thd->main_security_ctx.master_access, + (thd->db ? thd->db : "*none*"))); if (check_count) { VOID(pthread_mutex_lock(&LOCK_thread_count)); bool count_ok= thread_count <= max_connections + delayed_insert_threads - || (sctx->master_access & SUPER_ACL); + || (thd->main_security_ctx.master_access & SUPER_ACL); VOID(pthread_mutex_unlock(&LOCK_thread_count)); if (!count_ok) { // too many connections @@ -387,10 +393,12 @@ int check_user(THD *thd, enum enum_server_command command, /* Why logging is performed before all checks've passed? */ mysql_log.write(thd, command, - (sctx->priv_user == sctx->user ? + (thd->main_security_ctx.priv_user == + thd->main_security_ctx.user ? (char*) "%s@%s on %s" : (char*) "%s@%s as anonymous on %s"), - sctx->user, sctx->host_or_ip, + thd->main_security_ctx.user, + thd->main_security_ctx.host_or_ip, db ? db : (char*) ""); /* @@ -398,14 +406,16 @@ int check_user(THD *thd, enum enum_server_command command, set to 0 here because we don't have an active database yet (and we may not have an active database to set. */ - sctx->db_access=0; + thd->main_security_ctx.db_access=0; /* Don't allow user to connect if he has done too many queries */ if ((ur.questions || ur.updates || ur.conn_per_hour || ur.user_conn || max_user_connections) && get_or_create_user_conn(thd, - (opt_old_style_user_limits ? sctx->user : sctx->priv_user), - (opt_old_style_user_limits ? sctx->host_or_ip : sctx->priv_host), + (opt_old_style_user_limits ? thd->main_security_ctx.user : + thd->main_security_ctx.priv_user), + (opt_old_style_user_limits ? thd->main_security_ctx.host_or_ip : + thd->main_security_ctx.priv_host), &ur)) DBUG_RETURN(-1); if (thd->user_connect && @@ -440,12 +450,12 @@ int check_user(THD *thd, enum enum_server_command command, DBUG_RETURN(-1); } net_printf_error(thd, ER_ACCESS_DENIED_ERROR, - sctx->user, - sctx->host_or_ip, + thd->main_security_ctx.user, + thd->main_security_ctx.host_or_ip, passwd_len ? ER(ER_YES) : ER(ER_NO)); mysql_log.write(thd, COM_CONNECT, ER(ER_ACCESS_DENIED_ERROR), - sctx->user, - sctx->host_or_ip, + thd->main_security_ctx.user, + thd->main_security_ctx.host_or_ip, passwd_len ? ER(ER_YES) : ER(ER_NO)); DBUG_RETURN(-1); #endif /* NO_EMBEDDED_ACCESS_CHECKS */ @@ -765,46 +775,49 @@ static int check_connection(THD *thd) NET *net= &thd->net; ulong pkt_len= 0; char *end; - st_security_context *sctx= thd->security_ctx; DBUG_PRINT("info", ("New connection received on %s", vio_description(net->vio))); - if (!sctx->host) // If TCP/IP connection + if (!thd->main_security_ctx.host) // If TCP/IP connection { char ip[30]; if (vio_peer_addr(net->vio, ip, &thd->peer_port)) return (ER_BAD_HOST_ERROR); - if (!(sctx->ip= my_strdup(ip,MYF(0)))) + if (!(thd->main_security_ctx.ip= my_strdup(ip,MYF(0)))) return (ER_OUT_OF_RESOURCES); - sctx->host_or_ip= sctx->ip; + thd->main_security_ctx.host_or_ip= thd->main_security_ctx.ip; vio_in_addr(net->vio,&thd->remote.sin_addr); if (!(specialflag & SPECIAL_NO_RESOLVE)) { vio_in_addr(net->vio,&thd->remote.sin_addr); - sctx->host=ip_to_hostname(&thd->remote.sin_addr,&connect_errors); + thd->main_security_ctx.host= + ip_to_hostname(&thd->remote.sin_addr, &connect_errors); /* Cut very long hostnames to avoid possible overflows */ - if (sctx->host) + if (thd->main_security_ctx.host) { - if (sctx->host != my_localhost) - sctx->host[min(strlen(sctx->host), HOSTNAME_LENGTH)]= 0; - sctx->host_or_ip= sctx->host; + if (thd->main_security_ctx.host != my_localhost) + thd->main_security_ctx.host[min(strlen(thd->main_security_ctx.host), + HOSTNAME_LENGTH)]= 0; + thd->main_security_ctx.host_or_ip= thd->main_security_ctx.host; } if (connect_errors > max_connect_errors) return(ER_HOST_IS_BLOCKED); } DBUG_PRINT("info",("Host: %s ip: %s", - sctx->host ? sctx->host : "unknown host", - sctx->ip ? sctx->ip : "unknown ip")); - if (acl_check_host(sctx->host, sctx->ip)) + (thd->main_security_ctx.host ? + thd->main_security_ctx.host : "unknown host"), + (thd->main_security_ctx.ip ? + thd->main_security_ctx.ip : "unknown ip"))); + if (acl_check_host(thd->main_security_ctx.host, thd->main_security_ctx.ip)) return(ER_HOST_NOT_PRIVILEGED); } else /* Hostname given means that the connection was on a socket */ { - DBUG_PRINT("info",("Host: %s", sctx->host)); - sctx->host_or_ip= sctx->host; - sctx->ip= 0; + DBUG_PRINT("info",("Host: %s", thd->main_security_ctx.host)); + thd->main_security_ctx.host_or_ip= thd->main_security_ctx.host; + thd->main_security_ctx.ip= 0; /* Reset sin_addr */ bzero((char*) &thd->remote, sizeof(thd->remote)); } @@ -987,9 +1000,9 @@ static int check_connection(THD *thd) thd->charset(), &dummy_errors)]= '\0'; user= user_buff; - if (sctx->user) - x_free(sctx->user); - if (!(sctx->user= my_strdup(user, MYF(0)))) + if (thd->main_security_ctx.user) + x_free(thd->main_security_ctx.user); + if (!(thd->main_security_ctx.user= my_strdup(user, MYF(0)))) return (ER_OUT_OF_RESOURCES); return check_user(thd, COM_CONNECT, passwd, passwd_len, db, TRUE); } @@ -1077,7 +1090,7 @@ pthread_handler_decl(handle_one_connection,arg) { int error; NET *net= &thd->net; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; thd->thread_stack= (char*) &thd; net->no_send_error= 0; @@ -1592,7 +1605,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd, /* Save user and privileges */ uint save_db_length= thd->db_length; char *save_db= thd->db; - st_security_context save_security_ctx= *thd->security_ctx; + Security_context save_security_ctx= *thd->security_ctx; USER_CONN *save_user_connect= thd->user_connect; if (!(thd->security_ctx->user= my_strdup(user, MYF(0)))) @@ -4143,7 +4156,7 @@ end_with_restore_list: else { #ifndef NO_EMBEDDED_ACCESS_CHECKS - st_security_context *save_ctx; + Security_context *save_ctx; #endif ha_rows select_limit; /* bits that should be cleared in thd->server_status */ @@ -4807,7 +4820,7 @@ bool check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv, bool dont_check_global_grants, bool no_errors, bool schema_db) { - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; #ifndef NO_EMBEDDED_ACCESS_CHECKS ulong db_access; bool db_is_pattern= test(want_access & GRANT_ACL); @@ -4838,8 +4851,8 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv, { if (!no_errors) my_error(ER_DBACCESS_DENIED_ERROR, MYF(0), - thd->security_ctx->priv_user, - thd->security_ctx->priv_host, db_name); + sctx->priv_user, + sctx->priv_host, db_name); DBUG_RETURN(TRUE); } else @@ -5245,7 +5258,7 @@ void mysql_reset_thd_for_next_command(THD *thd) thd->server_status&= ~ (SERVER_MORE_RESULTS_EXISTS | SERVER_QUERY_NO_INDEX_USED | SERVER_QUERY_NO_GOOD_INDEX_USED); - thd->security_ctx= &thd->main_security_ctx; + DBUG_ASSERT(thd->security_ctx== &thd->main_security_ctx); thd->tmp_table_used= 0; if (!thd->in_sub_stmt) { @@ -7396,7 +7409,7 @@ Item *negate_expression(THD *thd, Item *expr) SYNOPSIS default_definer() - thd thread handler + Secytity_context current decurity context definer structure where it should be assigned RETURN @@ -7404,7 +7417,7 @@ Item *negate_expression(THD *thd, Item *expr) TRUE Error */ -bool default_view_definer(st_security_context *sctx, st_lex_user *definer) +bool default_view_definer(Security_context *sctx, st_lex_user *definer) { definer->user.str= sctx->priv_user; definer->user.length= strlen(sctx->priv_user); diff --git a/sql/sql_show.cc b/sql/sql_show.cc index 528876a6bbb..a146a489e91 100644 --- a/sql/sql_show.cc +++ b/sql/sql_show.cc @@ -415,7 +415,7 @@ mysqld_show_create(THD *thd, TABLE_LIST *table_list) bool mysqld_show_create_db(THD *thd, char *dbname, HA_CREATE_INFO *create_info) { - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; int length; char path[FN_REFLEN]; char buff[2048]; @@ -436,7 +436,7 @@ bool mysqld_show_create_db(THD *thd, char *dbname, } #ifndef NO_EMBEDDED_ACCESS_CHECKS - if (test_all_bits(sctx->master_access,DB_ACLS)) + if (test_all_bits(sctx->master_access, DB_ACLS)) db_access=DB_ACLS; else db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname, 0) | @@ -1186,7 +1186,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose) THD *tmp; while ((tmp=it++)) { - st_security_context *tmp_sctx= tmp->security_ctx; + Security_context *tmp_sctx= tmp->security_ctx; struct st_my_thread_var *mysys_var; if ((tmp->vio_ok() || tmp->system_thread) && (!user || (tmp_sctx->user && !strcmp(tmp_sctx->user, user)))) @@ -1205,7 +1205,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose) "%s:%u", tmp_sctx->host_or_ip, tmp->peer_port); } else - thd_info->host= thd->strdup(tmp_sctx->host_or_ip); + thd_info->host= thd->strdup(tmp_sctx->host); if ((thd_info->db=tmp->db)) // Safe test thd_info->db=thd->strdup(thd_info->db); thd_info->command=(int) tmp->command; @@ -1257,7 +1257,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose) thread_info *thd_info; #ifndef NO_EMBEDDED_ACCESS_CHECKS - st_security_context *sctx; + Security_context *sctx; #endif time_t now= time(0); while ((thd_info=thread_infos.get())) @@ -1996,7 +1996,7 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond) List<char> bases; List_iterator_fast<char> it(bases); COND *partial_cond; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; uint derived_tables= lex->derived_tables; int error= 1; Open_tables_state open_tables_state_backup; @@ -2201,7 +2201,7 @@ int fill_schema_shemata(THD *thd, TABLE_LIST *tables, COND *cond) bool with_i_schema; HA_CREATE_INFO create; TABLE *table= tables->table; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; DBUG_ENTER("fill_schema_shemata"); if (make_db_list(thd, &files, &idx_field_vals, diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy index 26f8e0dfbd9..52ac35abc19 100644 --- a/sql/sql_yacc.yy +++ b/sql/sql_yacc.yy @@ -6554,7 +6554,7 @@ show_param: LEX *lex=Lex; lex->sql_command= SQLCOM_SHOW_GRANTS; THD *thd= lex->thd; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; LEX_USER *curr_user; if (!(curr_user= (LEX_USER*) thd->alloc(sizeof(st_lex_user)))) YYABORT; @@ -7464,7 +7464,7 @@ user: | CURRENT_USER optional_braces { THD *thd= YYTHD; - st_security_context *sctx= thd->security_ctx; + Security_context *sctx= thd->security_ctx; if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user)))) YYABORT; $$->user.str= sctx->priv_user; |