List:Commits« Previous MessageNext Message »
From:Georgi Kodinov Date:March 25 2009 1:37pm
Subject:bzr commit into mysql-5.0-bugteam branch (joro:2771) Bug#43748
View as plain text  
#At file:///home/kgeorge/mysql/work/B43748-5.0-pe-stage/ based on revid:zhou.li@stripped

 2771 Georgi Kodinov	2009-03-25
      Bug#43748: crash when non-super user tries to kill the replication threads
      
      (Pushing for Azundris)
            
      We allow security-contexts with NULL users (for
      system-threads and for unauthenticated users).
      If a non-SUPER-user tried to KILL such a thread,
      we tried to compare the user-fields to see whether
      they owned that thread. Comparing against NULL was
      not a good idea.
            
      If KILLer does not have SUPER-privilege, we
      specifically check whether both KILLer and KILLee
      have a non-NULL user before testing for string-
      equality. If either is NULL, we reject the KILL.
     @ mysql-test/r/rpl_temporary.result
        Try to have a non-SUPER user KILL a system thread.
     @ mysql-test/t/rpl_temporary.test
        Try to have a non-SUPER user KILL a system thread.
     @ sql/sql_parse.cc
        Make sure security contexts of both KILLer *and*
                KILLee are non-NULL before testing for string-equality!

    modified:
      mysql-test/r/rpl_temporary.result
      mysql-test/t/rpl_temporary.test
      sql/sql_parse.cc
=== modified file 'mysql-test/r/rpl_temporary.result'
--- a/mysql-test/r/rpl_temporary.result	2007-02-26 08:16:22 +0000
+++ b/mysql-test/r/rpl_temporary.result	2009-03-25 13:37:21 +0000
@@ -4,6 +4,24 @@ reset master;
 reset slave;
 drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9;
 start slave;
+FLUSH PRIVILEGES;
+drop table if exists t999;
+create temporary table t999(
+id int,
+user char(255),
+host char(255),
+db char(255),
+Command char(255),
+time int,
+State char(255),
+info char(255)
+);
+LOAD DATA INFILE "./tmp/bl_dump_thread_id" into table t999;
+drop table t999;
+GRANT USAGE ON *.* TO user43748@localhost;
+KILL `select id from information_schema.processlist where command='Binlog Dump'`;
+ERROR HY000: You are not owner of thread `select id from information_schema.processlist where command='Binlog Dump'`
+DROP USER user43748@localhost;
 reset master;
 SET @save_select_limit=@@session.sql_select_limit;
 SET @@session.sql_select_limit=10, @@session.pseudo_thread_id=100;

=== modified file 'mysql-test/t/rpl_temporary.test'
--- a/mysql-test/t/rpl_temporary.test	2008-03-07 19:14:28 +0000
+++ b/mysql-test/t/rpl_temporary.test	2009-03-25 13:37:21 +0000
@@ -3,6 +3,42 @@ source include/add_anonymous_users.inc;
 
 source include/master-slave.inc;
 
+#
+# Bug#43748: crash when non-super user tries to kill the replication threads
+#
+
+--connection master
+save_master_pos;
+
+--connection slave
+sync_with_master;
+
+--connection slave
+FLUSH PRIVILEGES;
+
+# in 5.0, we need to do some hocus pocus to get a system-thread ID (-> $id)
+--source include/get_binlog_dump_thread_id.inc
+
+# make a non-privileged user on slave. try to KILL system-thread as her.
+GRANT USAGE ON *.* TO user43748@localhost;
+
+--connect (mysqltest_2_con,localhost,user43748,,test,$SLAVE_MYPORT,)
+--connection mysqltest_2_con
+
+--replace_result $id "`select id from information_schema.processlist where command='Binlog Dump'`"
+--error ER_KILL_DENIED_ERROR
+eval KILL $id;
+
+--disconnect mysqltest_2_con
+
+--connection slave
+
+DROP USER user43748@localhost;
+
+--connection master
+
+
+
 # Clean up old slave's binlogs.
 # The slave is started with --log-slave-updates
 # and this test does SHOW BINLOG EVENTS on the slave's

=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc	2009-03-19 13:44:58 +0000
+++ b/sql/sql_parse.cc	2009-03-25 13:37:21 +0000
@@ -7386,8 +7386,27 @@ void kill_one_thread(THD *thd, ulong id,
   VOID(pthread_mutex_unlock(&LOCK_thread_count));
   if (tmp)
   {
+
+    /*
+      If we're SUPER, we can KILL anything, including system-threads.
+      No further checks.
+
+      thd..user could in theory be NULL while we're still in
+      "unauthenticated" state. This is more a theoretical case.
+
+      tmp..user will be NULL for system threads (cf Bug#43748).
+      We need to check so Jane Random User doesn't crash the server
+      when trying to kill a) system threads or b) unauthenticated
+      users' threads.
+
+      If user of both killer and killee are non-null, proceed with
+      slayage if both are string-equal.
+    */
+
     if ((thd->security_ctx->master_access & SUPER_ACL) ||
-	!strcmp(thd->security_ctx->user, tmp->security_ctx->user))
+        ((thd->security_ctx->user != NULL) &&
+         (tmp->security_ctx->user != NULL) &&
+         !strcmp(thd->security_ctx->user, tmp->security_ctx->user)))
     {
       tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION);
       error=0;


Attachment: [text/bzr-bundle] bzr/joro@sun.com-20090325133721-5dffhimo83w4m7cx.bundle
Thread
bzr commit into mysql-5.0-bugteam branch (joro:2771) Bug#43748Georgi Kodinov25 Mar