From cc1646dae821a136c8368ee84954aac9937abdd4 Mon Sep 17 00:00:00 2001 From: Alexey Botchkov Date: Thu, 22 Oct 2020 14:00:17 +0400 Subject: MDEV-19443 server_audit plugin doesn't log proxy users. PROXY_USER event added. --- plugin/server_audit/server_audit.c | 62 +++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) (limited to 'plugin') diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c index 1061c207a75..a029b426ea1 100644 --- a/plugin/server_audit/server_audit.c +++ b/plugin/server_audit/server_audit.c @@ -15,7 +15,7 @@ #define PLUGIN_VERSION 0x104 -#define PLUGIN_STR_VERSION "1.4.7" +#define PLUGIN_STR_VERSION "1.4.9" #define _my_thread_var loc_thread_var @@ -328,6 +328,10 @@ struct connection_info char query_buffer[1024]; time_t query_time; int log_always; + char proxy[64]; + int proxy_length; + char proxy_host[64]; + int proxy_host_length; }; #define DEFAULT_FILENAME_LEN 16 @@ -1128,9 +1132,13 @@ static void setup_connection_simple(struct connection_info *ci) ci->ip_length= 0; ci->query_length= 0; ci->header= 0; + ci->proxy_length= 0; } +#define MAX_HOSTNAME 61 +#define USERNAME_LENGTH 384 + static void setup_connection_connect(struct connection_info *cn, const struct mysql_event_connection *event) { @@ -1147,6 +1155,29 @@ static void setup_connection_connect(struct connection_info *cn, get_str_n(cn->ip, &cn->ip_length, sizeof(cn->ip), event->ip, event->ip_length); cn->header= 0; + if (event->proxy_user && event->proxy_user[0]) + { + const char *priv_host= event->proxy_user + + sizeof(char[MAX_HOSTNAME+USERNAME_LENGTH+5]); + size_t priv_host_length; + + if (mysql_57_started) + { + priv_host+= sizeof(size_t); + priv_host_length= *(size_t *) (priv_host + MAX_HOSTNAME); + } + else + priv_host_length= strlen(priv_host); + + + get_str_n(cn->proxy, &cn->proxy_length, sizeof(cn->proxy), + event->priv_user, event->priv_user_length); + get_str_n(cn->proxy_host, &cn->proxy_host_length, + sizeof(cn->proxy_host), + priv_host, priv_host_length); + } + else + cn->proxy_length= 0; } @@ -1346,6 +1377,31 @@ static size_t log_header(char *message, size_t message_len, } +static int log_proxy(const struct connection_info *cn, + const struct mysql_event_connection *event) + +{ + time_t ctime; + size_t csize; + char message[1024]; + + (void) time(&ctime); + csize= log_header(message, sizeof(message)-1, &ctime, + servhost, servhost_len, + cn->user, cn->user_length, + cn->host, cn->host_length, + cn->ip, cn->ip_length, + event->thread_id, 0, "PROXY_CONNECT"); + csize+= my_snprintf(message+csize, sizeof(message) - 1 - csize, + ",%.*s,`%.*s`@`%.*s`,%d", cn->db_length, cn->db, + cn->proxy_length, cn->proxy, + cn->proxy_host_length, cn->proxy_host, + event->status); + message[csize]= '\n'; + return write_log(message, csize + 1, 1); +} + + static int log_connection(const struct connection_info *cn, const struct mysql_event_connection *event, const char *type) @@ -2007,9 +2063,13 @@ static void update_connection_info(struct connection_info *cn, { case MYSQL_AUDIT_CONNECTION_CONNECT: setup_connection_connect(cn, event); + if (event->status == 0 && event->proxy_user && event->proxy_user[0]) + log_proxy(cn, event); break; case MYSQL_AUDIT_CONNECTION_CHANGE_USER: *after_action= AA_CHANGE_USER; + if (event->proxy_user && event->proxy_user[0]) + log_proxy(cn, event); break; default:; } -- cgit v1.2.1 From 5a9484b78438775f431601a1fc2b302e01e35882 Mon Sep 17 00:00:00 2001 From: Alexey Botchkov Date: Thu, 22 Oct 2020 14:00:17 +0400 Subject: MDEV-19443 server_audit plugin doesn't log proxy users. PROXY_USER event added. Conflicts: plugin/server_audit/server_audit.c --- plugin/server_audit/server_audit.c | 62 +++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) (limited to 'plugin') diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c index 4e45b36ec3e..6badbbfedf7 100644 --- a/plugin/server_audit/server_audit.c +++ b/plugin/server_audit/server_audit.c @@ -15,7 +15,7 @@ #define PLUGIN_VERSION 0x104 -#define PLUGIN_STR_VERSION "1.4.8" +#define PLUGIN_STR_VERSION "1.4.10" #define _my_thread_var loc_thread_var @@ -326,6 +326,10 @@ struct connection_info char query_buffer[1024]; time_t query_time; int log_always; + char proxy[64]; + int proxy_length; + char proxy_host[64]; + int proxy_host_length; }; #define DEFAULT_FILENAME_LEN 16 @@ -1130,9 +1134,13 @@ static void setup_connection_simple(struct connection_info *ci) ci->ip_length= 0; ci->query_length= 0; ci->header= 0; + ci->proxy_length= 0; } +#define MAX_HOSTNAME 61 +#define USERNAME_LENGTH 384 + static void setup_connection_connect(struct connection_info *cn, const struct mysql_event_connection *event) { @@ -1149,6 +1157,29 @@ static void setup_connection_connect(struct connection_info *cn, get_str_n(cn->ip, &cn->ip_length, sizeof(cn->ip), event->ip, event->ip_length); cn->header= 0; + if (event->proxy_user && event->proxy_user[0]) + { + const char *priv_host= event->proxy_user + + sizeof(char[MAX_HOSTNAME+USERNAME_LENGTH+5]); + size_t priv_host_length; + + if (mysql_57_started) + { + priv_host+= sizeof(size_t); + priv_host_length= *(size_t *) (priv_host + MAX_HOSTNAME); + } + else + priv_host_length= strlen(priv_host); + + + get_str_n(cn->proxy, &cn->proxy_length, sizeof(cn->proxy), + event->priv_user, event->priv_user_length); + get_str_n(cn->proxy_host, &cn->proxy_host_length, + sizeof(cn->proxy_host), + priv_host, priv_host_length); + } + else + cn->proxy_length= 0; } @@ -1348,6 +1379,31 @@ static size_t log_header(char *message, size_t message_len, } +static int log_proxy(const struct connection_info *cn, + const struct mysql_event_connection *event) + +{ + time_t ctime; + size_t csize; + char message[1024]; + + (void) time(&ctime); + csize= log_header(message, sizeof(message)-1, &ctime, + servhost, servhost_len, + cn->user, cn->user_length, + cn->host, cn->host_length, + cn->ip, cn->ip_length, + event->thread_id, 0, "PROXY_CONNECT"); + csize+= my_snprintf(message+csize, sizeof(message) - 1 - csize, + ",%.*s,`%.*s`@`%.*s`,%d", cn->db_length, cn->db, + cn->proxy_length, cn->proxy, + cn->proxy_host_length, cn->proxy_host, + event->status); + message[csize]= '\n'; + return write_log(message, csize + 1, 1); +} + + static int log_connection(const struct connection_info *cn, const struct mysql_event_connection *event, const char *type) @@ -2009,9 +2065,13 @@ static void update_connection_info(struct connection_info *cn, { case MYSQL_AUDIT_CONNECTION_CONNECT: setup_connection_connect(cn, event); + if (event->status == 0 && event->proxy_user && event->proxy_user[0]) + log_proxy(cn, event); break; case MYSQL_AUDIT_CONNECTION_CHANGE_USER: *after_action= AA_CHANGE_USER; + if (event->proxy_user && event->proxy_user[0]) + log_proxy(cn, event); break; default:; } -- cgit v1.2.1 From 6dc14453c5b72920575116ec3c836c1647f05873 Mon Sep 17 00:00:00 2001 From: Dmitry Shulga Date: Fri, 23 Oct 2020 17:18:39 +0700 Subject: MDEV-23926: Fix warnings generated during compilation of plugin/auth_pam/mapper/pam_user_map.c on MacOS Compiler warnings like one listed below are generated during server build on MacOS: [88%] Building C object plugin/auth_pam/CMakeFiles/pam_user_map.dir/mapper/pam_user_map.c.o mariadb/server-10.2/plugin/auth_pam/mapper/pam_user_map.c:87:41: error: passing 'gid_t *' (aka 'unsigned int *') to parameter of type 'int *' converts between pointers to integer types with different sign [-Werror,-Wpointer-sign] if (getgrouplist(user, user_group_id, loc_groups, &ng) < 0) ^~~~~~~~~~ /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk/usr/include/unistd.h:650:43: note: passing argument to parameter here int getgrouplist(const char *, int, int *, int *); ^ In case MariaDB server is build with -DCMAKE_BUILD_TYPE=Debug it results in build error. The reason of compiler warnings is that declaration of the Posix C API function getgrouplist() on MacOS differs from declaration of getgrouplist() proposed by Posix. To suppress this compiler warning cmake configure was adapted to detect what kind of getgrouplist() function is declared on the build platform and set the macros HAVE_POSIX_GETGROUPLIST in case the building platform supports Posix compatible interface for the getgrouplist() function. Depending on whether this macros is set the compatible type of arguments is used to pass parameter values to the function. --- plugin/auth_pam/CMakeLists.txt | 26 ++++++++++++++++++++++++++ plugin/auth_pam/mapper/pam_user_map.c | 30 +++++++++++++++++++----------- 2 files changed, 45 insertions(+), 11 deletions(-) (limited to 'plugin') diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt index ac598e4ffa6..fce9b8cf8a6 100644 --- a/plugin/auth_pam/CMakeLists.txt +++ b/plugin/auth_pam/CMakeLists.txt @@ -5,6 +5,30 @@ CHECK_INCLUDE_FILES (security/pam_ext.h HAVE_PAM_EXT_H) CHECK_INCLUDE_FILES (security/pam_appl.h HAVE_PAM_APPL_H) CHECK_FUNCTION_EXISTS (strndup HAVE_STRNDUP) +INCLUDE_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}) + +# Check whether getgrouplist uses git_t for second and third arguments. +SET(CMAKE_REQUIRED_FLAGS -Werror) +CHECK_C_SOURCE_COMPILES( +" +#ifdef HAVE_GRP_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +int main() { + char *arg_1; + gid_t arg_2, arg_3; + int arg_4; + (void)getgrouplist(arg_1,arg_2,&arg_3,arg_4); + return 0; +} +" +HAVE_POSIX_GETGROUPLIST +) +SET(CMAKE_REQUIRED_FLAGS) + SET(CMAKE_REQUIRED_LIBRARIES pam) CHECK_FUNCTION_EXISTS(pam_syslog HAVE_PAM_SYSLOG) SET(CMAKE_REQUIRED_LIBRARIES) @@ -36,3 +60,5 @@ IF(HAVE_PAM_APPL_H) ENDIF() ENDIF(HAVE_PAM_APPL_H) +CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/config.h.cmake + ${CMAKE_CURRENT_BINARY_DIR}/config_auth_pam.h) diff --git a/plugin/auth_pam/mapper/pam_user_map.c b/plugin/auth_pam/mapper/pam_user_map.c index 9d7ed53f8b1..fa8d9ae08c1 100644 --- a/plugin/auth_pam/mapper/pam_user_map.c +++ b/plugin/auth_pam/mapper/pam_user_map.c @@ -31,6 +31,7 @@ These comments are written to the syslog as 'authpriv.debug' and usually end up in /var/log/secure file. */ +#include #include #include #include @@ -70,10 +71,16 @@ pam_syslog (const pam_handle_t *pamh, int priority, #define GROUP_BUFFER_SIZE 100 static const char debug_keyword[]= "debug"; -static int populate_user_groups(const char *user, gid_t **groups) +#ifdef HAVE_POSIX_GETGROUPLIST +typedef gid_t my_gid_t; +#else +typedef int my_gid_t; +#endif + +static int populate_user_groups(const char *user, my_gid_t **groups) { - gid_t user_group_id; - gid_t *loc_groups= *groups; + my_gid_t user_group_id; + my_gid_t *loc_groups= *groups; int ng; { @@ -88,22 +95,23 @@ static int populate_user_groups(const char *user, gid_t **groups) { /* The rare case when the user is present in more than */ /* GROUP_BUFFER_SIZE groups. */ - loc_groups= (gid_t *) malloc(ng * sizeof (gid_t)); + loc_groups= (my_gid_t *) malloc(ng * sizeof (my_gid_t)); + if (!loc_groups) return 0; (void) getgrouplist(user, user_group_id, loc_groups, &ng); - *groups= loc_groups; + *groups= (my_gid_t*)loc_groups; } return ng; } -static int user_in_group(const gid_t *user_groups, int ng,const char *group) +static int user_in_group(const my_gid_t *user_groups, int ng,const char *group) { - gid_t group_id; - const gid_t *groups_end = user_groups + ng; + my_gid_t group_id; + const my_gid_t *groups_end = user_groups + ng; { struct group *g= getgrnam(group); @@ -122,7 +130,7 @@ static int user_in_group(const gid_t *user_groups, int ng,const char *group) } -static void print_groups(pam_handle_t *pamh, const gid_t *user_groups, int ng) +static void print_groups(pam_handle_t *pamh, const my_gid_t *user_groups, int ng) { char buf[256]; char *c_buf= buf, *buf_end= buf+sizeof(buf)-2; @@ -158,8 +166,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, const char *username; char buf[256]; FILE *f; - gid_t group_buffer[GROUP_BUFFER_SIZE]; - gid_t *groups= group_buffer; + my_gid_t group_buffer[GROUP_BUFFER_SIZE]; + my_gid_t *groups= group_buffer; int n_groups= -1; for (; argc > 0; argc--) -- cgit v1.2.1 From 5e7cde41e028eee19d7844c320415057afabaaac Mon Sep 17 00:00:00 2001 From: Dmitry Shulga Date: Fri, 23 Oct 2020 17:21:10 +0700 Subject: MDEV-23926: Follow-up patch to cleanup plugin/auth_pam/CMakeLists.txt code This patch moves definitions of macros variables HAVE_PAM_SYSLOG, HAVE_PAM_EXT_H, HAVE_PAM_APPL_H, HAVE_STRNDUP from command line (in the form -Dmacros) to the auto-generated header file config_auth_pam.h --- plugin/auth_pam/CMakeLists.txt | 12 ------------ plugin/auth_pam/auth_pam.c | 1 + 2 files changed, 1 insertion(+), 12 deletions(-) (limited to 'plugin') diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt index fce9b8cf8a6..d3b3c256527 100644 --- a/plugin/auth_pam/CMakeLists.txt +++ b/plugin/auth_pam/CMakeLists.txt @@ -33,19 +33,7 @@ SET(CMAKE_REQUIRED_LIBRARIES pam) CHECK_FUNCTION_EXISTS(pam_syslog HAVE_PAM_SYSLOG) SET(CMAKE_REQUIRED_LIBRARIES) -IF(HAVE_PAM_SYSLOG) - ADD_DEFINITIONS(-DHAVE_PAM_SYSLOG) -ENDIF() - -IF(HAVE_PAM_EXT_H) - ADD_DEFINITIONS(-DHAVE_PAM_EXT_H) -ENDIF() - IF(HAVE_PAM_APPL_H) - ADD_DEFINITIONS(-DHAVE_PAM_APPL_H) - IF(HAVE_STRNDUP) - ADD_DEFINITIONS(-DHAVE_STRNDUP) - ENDIF(HAVE_STRNDUP) FIND_LIBRARY(PAM_LIBRARY pam) # for srpm build-depends detection MYSQL_ADD_PLUGIN(auth_pam auth_pam.c LINK_LIBRARIES pam MODULE_ONLY) diff --git a/plugin/auth_pam/auth_pam.c b/plugin/auth_pam/auth_pam.c index fae73aea690..c80ec51b48d 100644 --- a/plugin/auth_pam/auth_pam.c +++ b/plugin/auth_pam/auth_pam.c @@ -16,6 +16,7 @@ #define _GNU_SOURCE 1 /* for strndup */ +#include #include #include #include -- cgit v1.2.1 From 1a70c2c73a7c461cc2492db7f13c9d575330a2f4 Mon Sep 17 00:00:00 2001 From: Dmitry Shulga Date: Fri, 23 Oct 2020 18:10:16 +0700 Subject: MDEV-23926: Follow-up patch to add missed file plugin/auth_pam/config.h.cmake --- plugin/auth_pam/config.h.cmake | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 plugin/auth_pam/config.h.cmake (limited to 'plugin') diff --git a/plugin/auth_pam/config.h.cmake b/plugin/auth_pam/config.h.cmake new file mode 100644 index 00000000000..2a60e99d52c --- /dev/null +++ b/plugin/auth_pam/config.h.cmake @@ -0,0 +1,5 @@ +#cmakedefine HAVE_POSIX_GETGROUPLIST 1 +#cmakedefine HAVE_PAM_SYSLOG 1 +#cmakedefine HAVE_PAM_EXT_H 1 +#cmakedefine HAVE_PAM_APPL_H 1 +#cmakedefine HAVE_STRNDUP 1 -- cgit v1.2.1 From 79f6f0c4fcd5a79fe776a6c089e14c65a04a81bf Mon Sep 17 00:00:00 2001 From: Dmitry Shulga Date: Fri, 23 Oct 2020 18:42:26 +0700 Subject: MDEV-23564: CMAKE failing due to deprecated Apple GSS method Some GSS-API functions like gss_import_name(), gss_release_buffer() used in plugin/auth_gssapi and libmariadb/plugins/auth are marked as deprecated in MacOS starting from version 10.14+. It results in extra warnings output on server building. To eliminate extra warnings the flag '-Wno-deprecated-declarations' has been added to compiler invocation string for those source files that invoke deprecated GSS-API functions. --- plugin/auth_gssapi/CMakeLists.txt | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'plugin') diff --git a/plugin/auth_gssapi/CMakeLists.txt b/plugin/auth_gssapi/CMakeLists.txt index bca4f5af3a1..4d3718dd471 100644 --- a/plugin/auth_gssapi/CMakeLists.txt +++ b/plugin/auth_gssapi/CMakeLists.txt @@ -18,6 +18,11 @@ ELSE() SET(GSSAPI_SERVER gssapi_server.cc) SET(GSSAPI_ERRMSG gssapi_errmsg.cc) + IF(APPLE) + SET_SOURCE_FILES_PROPERTIES( + ${GSSAPI_CLIENT} ${GSSAPI_SERVER} ${GSSAPI_ERRMSG} + PROPERTY COMPILE_FLAGS "-Wno-deprecated-declarations") + ENDIF() SET(CMAKE_REQUIRED_INCLUDES ${GSSAPI_INCS}) SET(CMAKE_REQUIRED_LIBRARIES ${GSSAPI_LIBS}) INCLUDE(CheckCXXSymbolExists) -- cgit v1.2.1 From 58da04b26122b61c960cbd5130bd638b32e66f01 Mon Sep 17 00:00:00 2001 From: Dmitry Shulga Date: Fri, 23 Oct 2020 19:15:22 +0700 Subject: MDEV-23926: Follow-up patch This patch fixes incorrect argument type passed to the last parameter of getgrouplist() in cmake macros CHECK_C_SOURCE_COMPILES() --- plugin/auth_pam/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugin') diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt index d3b3c256527..e06859ae9b7 100644 --- a/plugin/auth_pam/CMakeLists.txt +++ b/plugin/auth_pam/CMakeLists.txt @@ -21,7 +21,7 @@ int main() { char *arg_1; gid_t arg_2, arg_3; int arg_4; - (void)getgrouplist(arg_1,arg_2,&arg_3,arg_4); + (void)getgrouplist(arg_1,arg_2,&arg_3,&arg_4); return 0; } " -- cgit v1.2.1 From 4654501e00947422710b949832d1b9ff8a7a40a5 Mon Sep 17 00:00:00 2001 From: Dmitry Shulga Date: Fri, 23 Oct 2020 20:01:50 +0700 Subject: MDEV-23926: Follow-up patch This patch removes unnecessary #ifdefs in cmake macros CHECK_C_SOURCE_COMPILES. --- plugin/auth_pam/CMakeLists.txt | 4 ---- 1 file changed, 4 deletions(-) (limited to 'plugin') diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt index e06859ae9b7..dbb4701fbc4 100644 --- a/plugin/auth_pam/CMakeLists.txt +++ b/plugin/auth_pam/CMakeLists.txt @@ -11,12 +11,8 @@ INCLUDE_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}) SET(CMAKE_REQUIRED_FLAGS -Werror) CHECK_C_SOURCE_COMPILES( " -#ifdef HAVE_GRP_H #include -#endif -#ifdef HAVE_UNISTD_H #include -#endif int main() { char *arg_1; gid_t arg_2, arg_3; -- cgit v1.2.1 From 045671d473609fe1947b1ce7775c4aa2e1a6269b Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 24 Oct 2020 17:58:19 +1100 Subject: MDEV-23539: aws key plugin - fails to build Recent gcc/clang versions failed to compile the existing code. Updating a later upstream SDK version was simple and required only implementing a flush method. This was left blank as there was no strong requirement to keep the error log atomic or durable. Reviewed-by: wlad@mariadb.com The upstream SDK version added a flush method which was simple to complete. --- plugin/aws_key_management/aws_key_management_plugin.cc | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'plugin') diff --git a/plugin/aws_key_management/aws_key_management_plugin.cc b/plugin/aws_key_management/aws_key_management_plugin.cc index 489dd375387..e2182336aa6 100644 --- a/plugin/aws_key_management/aws_key_management_plugin.cc +++ b/plugin/aws_key_management/aws_key_management_plugin.cc @@ -161,6 +161,10 @@ public: { } + virtual void Flush(void) override + { + } + protected: virtual void ProcessFormattedStatement(Aws::String&& statement) override { -- cgit v1.2.1