#At file:///home/kgeorge/mysql/work/B43748-5.0-pe-stage/ based on revid:zhou.li@stripped
2771 Georgi Kodinov 2009-03-25
Bug#43748: crash when non-super user tries to kill the replication threads
(Pushing for Azundris)
We allow security-contexts with NULL users (for
system-threads and for unauthenticated users).
If a non-SUPER-user tried to KILL such a thread,
we tried to compare the user-fields to see whether
they owned that thread. Comparing against NULL was
not a good idea.
If KILLer does not have SUPER-privilege, we
specifically check whether both KILLer and KILLee
have a non-NULL user before testing for string-
equality. If either is NULL, we reject the KILL.
@ mysql-test/r/rpl_temporary.result
Try to have a non-SUPER user KILL a system thread.
@ mysql-test/t/rpl_temporary.test
Try to have a non-SUPER user KILL a system thread.
@ sql/sql_parse.cc
Make sure security contexts of both KILLer *and*
KILLee are non-NULL before testing for string-equality!
modified:
mysql-test/r/rpl_temporary.result
mysql-test/t/rpl_temporary.test
sql/sql_parse.cc
=== modified file 'mysql-test/r/rpl_temporary.result'
--- a/mysql-test/r/rpl_temporary.result 2007-02-26 08:16:22 +0000
+++ b/mysql-test/r/rpl_temporary.result 2009-03-25 13:37:21 +0000
@@ -4,6 +4,24 @@ reset master;
reset slave;
drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9;
start slave;
+FLUSH PRIVILEGES;
+drop table if exists t999;
+create temporary table t999(
+id int,
+user char(255),
+host char(255),
+db char(255),
+Command char(255),
+time int,
+State char(255),
+info char(255)
+);
+LOAD DATA INFILE "./tmp/bl_dump_thread_id" into table t999;
+drop table t999;
+GRANT USAGE ON *.* TO user43748@localhost;
+KILL `select id from information_schema.processlist where command='Binlog Dump'`;
+ERROR HY000: You are not owner of thread `select id from information_schema.processlist where command='Binlog Dump'`
+DROP USER user43748@localhost;
reset master;
SET @save_select_limit=@@session.sql_select_limit;
SET @@session.sql_select_limit=10, @@session.pseudo_thread_id=100;
=== modified file 'mysql-test/t/rpl_temporary.test'
--- a/mysql-test/t/rpl_temporary.test 2008-03-07 19:14:28 +0000
+++ b/mysql-test/t/rpl_temporary.test 2009-03-25 13:37:21 +0000
@@ -3,6 +3,42 @@ source include/add_anonymous_users.inc;
source include/master-slave.inc;
+#
+# Bug#43748: crash when non-super user tries to kill the replication threads
+#
+
+--connection master
+save_master_pos;
+
+--connection slave
+sync_with_master;
+
+--connection slave
+FLUSH PRIVILEGES;
+
+# in 5.0, we need to do some hocus pocus to get a system-thread ID (-> $id)
+--source include/get_binlog_dump_thread_id.inc
+
+# make a non-privileged user on slave. try to KILL system-thread as her.
+GRANT USAGE ON *.* TO user43748@localhost;
+
+--connect (mysqltest_2_con,localhost,user43748,,test,$SLAVE_MYPORT,)
+--connection mysqltest_2_con
+
+--replace_result $id "`select id from information_schema.processlist where command='Binlog Dump'`"
+--error ER_KILL_DENIED_ERROR
+eval KILL $id;
+
+--disconnect mysqltest_2_con
+
+--connection slave
+
+DROP USER user43748@localhost;
+
+--connection master
+
+
+
# Clean up old slave's binlogs.
# The slave is started with --log-slave-updates
# and this test does SHOW BINLOG EVENTS on the slave's
=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc 2009-03-19 13:44:58 +0000
+++ b/sql/sql_parse.cc 2009-03-25 13:37:21 +0000
@@ -7386,8 +7386,27 @@ void kill_one_thread(THD *thd, ulong id,
VOID(pthread_mutex_unlock(&LOCK_thread_count));
if (tmp)
{
+
+ /*
+ If we're SUPER, we can KILL anything, including system-threads.
+ No further checks.
+
+ thd..user could in theory be NULL while we're still in
+ "unauthenticated" state. This is more a theoretical case.
+
+ tmp..user will be NULL for system threads (cf Bug#43748).
+ We need to check so Jane Random User doesn't crash the server
+ when trying to kill a) system threads or b) unauthenticated
+ users' threads.
+
+ If user of both killer and killee are non-null, proceed with
+ slayage if both are string-equal.
+ */
+
if ((thd->security_ctx->master_access & SUPER_ACL) ||
- !strcmp(thd->security_ctx->user, tmp->security_ctx->user))
+ ((thd->security_ctx->user != NULL) &&
+ (tmp->security_ctx->user != NULL) &&
+ !strcmp(thd->security_ctx->user, tmp->security_ctx->user)))
{
tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION);
error=0;
Attachment: [text/bzr-bundle] bzr/joro@sun.com-20090325133721-5dffhimo83w4m7cx.bundle
| Thread |
|---|
| • bzr commit into mysql-5.0-bugteam branch (joro:2771) Bug#43748 | Georgi Kodinov | 25 Mar |
