diff options
-rw-r--r-- | mysql-test/r/auth_named_pipe.result | 10 | ||||
-rw-r--r-- | mysql-test/t/auth_named_pipe-master.opt | 1 | ||||
-rw-r--r-- | mysql-test/t/auth_named_pipe.test | 23 | ||||
-rw-r--r-- | plugin/auth_pipe/CMakeLists.txt | 18 | ||||
-rw-r--r-- | plugin/auth_pipe/auth_pipe.c | 72 |
5 files changed, 55 insertions, 69 deletions
diff --git a/mysql-test/r/auth_named_pipe.result b/mysql-test/r/auth_named_pipe.result new file mode 100644 index 00000000000..8de507e1744 --- /dev/null +++ b/mysql-test/r/auth_named_pipe.result @@ -0,0 +1,10 @@ +INSTALL SONAME 'auth_named_pipe'; +CREATE USER USERNAME IDENTIFIED WITH named_pipe; +SELECT USER(),CURRENT_USER(); +USER() CURRENT_USER() +USERNAME@localhost USERNAME@% +DROP USER USERNAME; +CREATE USER nosuchuser IDENTIFIED WITH named_pipe; +ERROR 28000: Access denied for user 'nosuchuser'@'localhost' +DROP USER nosuchuser; +UNINSTALL SONAME 'auth_named_pipe'; diff --git a/mysql-test/t/auth_named_pipe-master.opt b/mysql-test/t/auth_named_pipe-master.opt new file mode 100644 index 00000000000..e534ae1eae5 --- /dev/null +++ b/mysql-test/t/auth_named_pipe-master.opt @@ -0,0 +1 @@ +--loose-enable-named-pipe diff --git a/mysql-test/t/auth_named_pipe.test b/mysql-test/t/auth_named_pipe.test new file mode 100644 index 00000000000..5473d628246 --- /dev/null +++ b/mysql-test/t/auth_named_pipe.test @@ -0,0 +1,23 @@ +--source include/windows.inc + +INSTALL SONAME 'auth_named_pipe'; + +--replace_result $USERNAME USERNAME +eval CREATE USER $USERNAME IDENTIFIED WITH named_pipe; +# Connect using named pipe, correct username +connect(pipe_con,localhost,$USERNAME,,,,,PIPE); +--replace_result $USERNAME USERNAME +SELECT USER(),CURRENT_USER(); +disconnect pipe_con; +connection default; +--replace_result $USERNAME USERNAME +eval DROP USER $USERNAME; + +# test invalid user name +CREATE USER nosuchuser IDENTIFIED WITH named_pipe; +--disable_query_log +--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR +connect(pipe_con,localhost,nosuchuser,,,,,PIPE); +--enable_query_log +DROP USER nosuchuser; +UNINSTALL SONAME 'auth_named_pipe';
\ No newline at end of file diff --git a/plugin/auth_pipe/CMakeLists.txt b/plugin/auth_pipe/CMakeLists.txt index 0a2eacad264..bbc44d0f5e2 100644 --- a/plugin/auth_pipe/CMakeLists.txt +++ b/plugin/auth_pipe/CMakeLists.txt @@ -1,19 +1,3 @@ -# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 of the -# License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - IF(WIN32) - MYSQL_ADD_PLUGIN(auth_pipe auth_pipe.c MODULE_ONLY) + MYSQL_ADD_PLUGIN(auth_named_pipe auth_pipe.c) ENDIF() diff --git a/plugin/auth_pipe/auth_pipe.c b/plugin/auth_pipe/auth_pipe.c index 43ae25a9415..20c33c07e84 100644 --- a/plugin/auth_pipe/auth_pipe.c +++ b/plugin/auth_pipe/auth_pipe.c @@ -17,44 +17,27 @@ /** @file - auth_pipd authentication plugin. + auth_pipe authentication plugin. - Authentication is successful if the connection is done via a named pip and - the owner of the client process matches the user name that was used when - connecting to mysqld. + Authentication is successful if the connection is done via a named pipe + pipe peer name matches mysql user name */ - #include <mysql/plugin_auth.h> #include <string.h> #include <lmcons.h> - - - /** - perform the named pipeŽbased authentication - - This authentication callback performs a named pipe based authentication - - it gets the uid of the client process and considers the user authenticated - if it uses username of this uid. That is - if the user is already - authenticated to the OS (if she is logged in) - she can use MySQL as herself + This authentication callback obtains user name using named pipe impersonation */ - static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) { unsigned char *pkt; - PTOKEN_USER pTokenUser= NULL; - HANDLE hToken; MYSQL_PLUGIN_VIO_INFO vio_info; - DWORD dLength= 0; - int Ret= CR_ERROR; - TCHAR username[UNLEN + 1]; - DWORD username_length= UNLEN + 1; - char domainname[DNLEN + 1]; - DWORD domainsize=DNLEN + 1; - SID_NAME_USE sidnameuse; + char username[UNLEN + 1]; + size_t username_length; + int ret; /* no user name yet ? read the client handshake packet with the user name */ if (info->user_name == 0) @@ -62,41 +45,26 @@ static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) if (vio->read_packet(vio, &pkt) < 0) return CR_ERROR; } - info->password_used= PASSWORD_USED_NO_MENTION; - vio->info(vio, &vio_info); if (vio_info.protocol != MYSQL_VIO_PIPE) return CR_ERROR; - /* get the UID of the client process */ + /* Impersonate the named pipe peer, and retrieve the user name */ if (!ImpersonateNamedPipeClient(vio_info.handle)) return CR_ERROR; - - if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken)) - goto end; - - /* determine length of TokenUser */ - GetTokenInformation(hToken, TokenUser, NULL, 0, &dLength); - if (!dLength) - goto end; - - if (!(pTokenUser= (PTOKEN_USER)LocalAlloc(0, dLength))) - goto end; - - if (!GetTokenInformation(hToken, TokenUser, (PVOID)pTokenUser, dLength, &dLength)) - goto end; - - if (!LookupAccountSid(NULL, pTokenUser->User.Sid, username, &username_length, domainname, &domainsize, &sidnameuse)) - goto end; - Ret= strcmp(username, info->user_name) ? CR_ERROR : CR_OK; -end: - if (pTokenUser) - LocalFree(pTokenUser); + username_length= sizeof(username) - 1; + ret= CR_ERROR; + if (GetUserName(username, &username_length)) + { + /* Always compare names case-insensitive on Windows.*/ + if (_stricmp(username, info->user_name) == 0) + ret= CR_OK; + } RevertToSelf(); - /* now it's simple as that */ - return Ret; + + return ret; } static struct st_mysql_auth pipe_auth_handler= @@ -106,11 +74,11 @@ static struct st_mysql_auth pipe_auth_handler= pipe_auth }; -maria_declare_plugin(socket_auth) +maria_declare_plugin(auth_named_pipe) { MYSQL_AUTHENTICATION_PLUGIN, &pipe_auth_handler, - "windows_pipe", + "named_pipe", "Vladislav Vaintroub, Georg Richter", "Windows named pipe based authentication", PLUGIN_LICENSE_GPL, |