From: Date: September 4 2008 4:12pm
Subject: bzr commit into mysql-5.1 branch (mats:2732) Bug#39106
List-Archive: http://lists.mysql.com/commits/53265
X-Bug: 39106
Message-Id: <20080904141253.F3BA05BE4D@mats-laptop>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

#At file:///home/bzr/bugs/b39106-5.1-bugteam/

 2732 Mats Kindahl	2008-09-04
      Bug #39106:
      SUPER is not required to change binlog format for session
      
      A user without SUPER privileges can change the value of the
      session variable BINLOG_FORMAT, causing problems for a DBA.
      
      This changeset requires a user to have SUPER privileges to
      change the value of the session variable BINLOG_FORMAT, and
      not only the global variable BINLOG_FORMAT.
added:
  mysql-test/suite/binlog/r/binlog_grant.result
  mysql-test/suite/binlog/t/binlog_grant.test
modified:
  sql/set_var.cc
  sql/set_var.h

per-file messages:
  mysql-test/suite/binlog/t/binlog_grant.test
    Adding test to test grants needed for SQL_LOG_BIN and BINLOG_FORMAT.
  sql/set_var.cc
    Adding code to check that user has SUPER permission
    needed to change the value of BINLOG_FORMAT.
  sql/set_var.h
    Adding function sys_var_thd_binlog_format::check()
=== added file 'mysql-test/suite/binlog/r/binlog_grant.result'
--- a/mysql-test/suite/binlog/r/binlog_grant.result	1970-01-01 00:00:00 +0000
+++ b/mysql-test/suite/binlog/r/binlog_grant.result	2008-09-04 14:12:43 +0000
@@ -0,0 +1,28 @@
+reset master;
+set @saved_binlog_format = @@global.binlog_format;
+create user mysqltest_1@localhost;
+show grants for mysqltest_1@localhost;
+Grants for mysqltest_1@localhost
+GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost'
+**** Variable SQL_LOG_BIN ****
+[root]
+set global sql_log_bin = 1;
+ERROR HY000: Variable 'sql_log_bin' is a SESSION variable and can't be used with SET GLOBAL
+set session sql_log_bin = 1;
+[plain]
+set global sql_log_bin = 1;
+ERROR HY000: Variable 'sql_log_bin' is a SESSION variable and can't be used with SET GLOBAL
+set session sql_log_bin = 1;
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
+**** Variable BINLOG_FORMAT ****
+[root]
+set global binlog_format = row;
+set session binlog_format = row;
+[plain]
+set global binlog_format = row;
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
+set session binlog_format = row;
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
+**** Clean up ****
+set global binlog_format = @saved_binlog_format;
+drop user mysqltest_1@localhost;

=== added file 'mysql-test/suite/binlog/t/binlog_grant.test'
--- a/mysql-test/suite/binlog/t/binlog_grant.test	1970-01-01 00:00:00 +0000
+++ b/mysql-test/suite/binlog/t/binlog_grant.test	2008-09-04 14:12:43 +0000
@@ -0,0 +1,60 @@
+# Test grants for various objects (especially variables) related to
+# the binary log
+
+source include/have_log_bin.inc;
+
+connection default;
+--disable_warnings
+reset master;
+--enable_warnings
+
+set @saved_binlog_format = @@global.binlog_format;
+create user mysqltest_1@localhost;
+show grants for mysqltest_1@localhost;
+
+connect (plain,localhost,mysqltest_1,,test);
+connect (root,localhost,root,,test);
+
+# Testing setting both session and global SQL_LOG_BIN variable both as
+# root and as plain user.
+
+--echo **** Variable SQL_LOG_BIN ****
+
+connection root;
+--echo [root]
+--error ER_LOCAL_VARIABLE
+set global sql_log_bin = 1;
+set session sql_log_bin = 1;
+
+connection plain;
+--echo [plain]
+--error ER_LOCAL_VARIABLE
+set global sql_log_bin = 1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+set session sql_log_bin = 1;
+
+
+# Testing setting both session and global BINLOG_FORMAT variable both
+# as root and as plain user.
+
+--echo **** Variable BINLOG_FORMAT ****
+
+connection root;
+--echo [root]
+set global binlog_format = row;
+set session binlog_format = row;
+
+connection plain;
+--echo [plain]
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+set global binlog_format = row;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+set session binlog_format = row;
+
+--echo **** Clean up ****
+disconnect plain;
+disconnect root;
+
+connection default;
+set global binlog_format = @saved_binlog_format;
+drop user mysqltest_1@localhost;

=== modified file 'sql/set_var.cc'
--- a/sql/set_var.cc	2008-08-25 12:44:05 +0000
+++ b/sql/set_var.cc	2008-09-04 14:12:43 +0000
@@ -1162,6 +1162,21 @@ void fix_slave_exec_mode(enum_var_type t
     bit_do_set(slave_exec_mode_options, SLAVE_EXEC_MODE_STRICT);
 }
 
+
+bool sys_var_thd_binlog_format::check(THD *thd, set_var *var) {
+  /*
+    All variables that affect writing to binary log (either format or
+    turning logging on and off) use the same checking. We call the
+    superclass ::check function to assign the variable correctly, and
+    then check the value.
+   */
+  bool result= sys_var_thd_enum::check(thd, var);
+  if (!result)
+    result= check_log_update(thd, var);
+  return result;
+}
+
+
 bool sys_var_thd_binlog_format::is_readonly() const
 {
   /*

=== modified file 'sql/set_var.h'
--- a/sql/set_var.h	2008-05-20 07:38:17 +0000
+++ b/sql/set_var.h	2008-09-04 14:12:43 +0000
@@ -1126,6 +1126,7 @@ public:
                       &binlog_format_typelib,
                       fix_binlog_format_after_update)
   {};
+  bool check(THD *thd, set_var *var);
   bool is_readonly() const;
 };