List:Commits« Previous MessageNext Message »
From:Tatiana A. Nurnberg Date:March 25 2009 4:43pm
Subject:bzr commit into mysql-5.1-bugteam branch (azundris:2842) Bug#43748
View as plain text  
#At file:///misc/mysql/forest/mysql-5.1-pe-stage/ based on revid:aelkin@stripped

 2842 Tatiana A. Nurnberg	2009-03-25 [merge]
      Bug#43748: crash when non-super user tries to kill the replication threads
      
      manual merge. also adds test specific to 5.1+
     @ mysql-test/suite/rpl/r/rpl_temporary.result
        show that a non-privileged user trying to
        kill system-threads no longer crashes the
        server. test in 5.1+ only.
     @ mysql-test/suite/rpl/t/rpl_temporary.test
        show that a non-privileged user trying to
        kill system-threads no longer crashes the
        server. test in 5.1+ only.
     @ sql/sql_class.cc
        manual merge
     @ sql/sql_class.h
        manual merge
     @ sql/sql_parse.cc
        manual merge

    modified:
      mysql-test/suite/rpl/r/rpl_temporary.result
      mysql-test/suite/rpl/t/rpl_temporary.test
      sql/sql_class.cc
      sql/sql_class.h
      sql/sql_parse.cc
=== modified file 'mysql-test/suite/rpl/r/rpl_temporary.result'
--- a/mysql-test/suite/rpl/r/rpl_temporary.result	2008-10-23 19:27:09 +0000
+++ b/mysql-test/suite/rpl/r/rpl_temporary.result	2009-03-25 16:42:34 +0000
@@ -108,3 +108,13 @@ select * from t1;
 a
 1
 drop table t1;
+Bug#43748
+make a non-privileged user on slave.
+FLUSH PRIVILEGES;
+GRANT USAGE ON *.* TO user43748@stripped IDENTIFIED BY 'meow';
+try to KILL system-thread as non-privileged user.
+KILL `select id from information_schema.processlist where command='Binlog Dump'`;
+ERROR HY000: You are not owner of thread `select id from information_schema.processlist where command='Binlog Dump'`
+throw out test-user on slave.
+DROP USER user43748@stripped;
+done. back to master.

=== modified file 'mysql-test/suite/rpl/t/rpl_temporary.test'
--- a/mysql-test/suite/rpl/t/rpl_temporary.test	2008-10-23 19:27:09 +0000
+++ b/mysql-test/suite/rpl/t/rpl_temporary.test	2009-03-25 16:42:34 +0000
@@ -222,4 +222,42 @@ drop table t1;
 # Delete the anonymous users
 source include/delete_anonymous_users.inc;
 
+
+
+#
+# Bug#43748: crash when non-super user tries to kill the replication threads
+#
+
+--echo Bug#43748
+
+connection slave;
+
+--echo make a non-privileged user on slave.
+
+FLUSH PRIVILEGES;
+GRANT USAGE ON *.* TO user43748@stripped IDENTIFIED BY 'meow';
+
+let $id = `SELECT id FROM information_schema.processlist WHERE user='system user' LIMIT 1`;
+
+connect (cont43748,127.0.0.1,user43748,meow,test,$SLAVE_MYPORT,);
+connection cont43748;
+
+--echo try to KILL system-thread as non-privileged user.
+
+--replace_result $id "`select id from information_schema.processlist where command='Binlog Dump'`"
+--error ER_KILL_DENIED_ERROR
+eval KILL $id;
+
+disconnect cont43748;
+
+connection slave;
+
+--echo throw out test-user on slave.
+DROP USER user43748@stripped;
+
+connection master;
+--echo done. back to master.
+
+
+
 # End of tests

=== modified file 'sql/sql_class.cc'
--- a/sql/sql_class.cc	2009-03-24 13:58:52 +0000
+++ b/sql/sql_class.cc	2009-03-25 16:42:34 +0000
@@ -2805,6 +2805,14 @@ Security_context::restore_security_conte
 }
 #endif
 
+
+bool Security_context::user_matches(Security_context *them)
+{
+  return ((user != NULL) && (them->user != NULL) &&
+          !strcmp(user, them->user));
+}
+
+
 /****************************************************************************
   Handling of open and locked tables states.
 

=== modified file 'sql/sql_class.h'
--- a/sql/sql_class.h	2009-03-19 14:43:01 +0000
+++ b/sql/sql_class.h	2009-03-25 16:42:34 +0000
@@ -813,6 +813,7 @@ public:
   void
   restore_security_context(THD *thd, Security_context *backup);
 #endif
+  bool user_matches(Security_context *);
 };
 
 

=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc	2009-03-24 13:58:52 +0000
+++ b/sql/sql_parse.cc	2009-03-25 16:42:34 +0000
@@ -6890,8 +6890,26 @@ uint kill_one_thread(THD *thd, ulong id,
   VOID(pthread_mutex_unlock(&LOCK_thread_count));
   if (tmp)
   {
+
+    /*
+      If we're SUPER, we can KILL anything, including system-threads.
+      No further checks.
+
+      KILLer: thd->security_ctx->user could in theory be NULL while
+      we're still in "unauthenticated" state. This is a theoretical
+      case (the code suggests this could happen, so we play it safe).
+
+      KILLee: tmp->security_ctx->user will be NULL for system threads.
+      We need to check so Jane Random User doesn't crash the server
+      when trying to kill a) system threads or b) unauthenticated users'
+      threads (Bug#43748).
+
+      If user of both killer and killee are non-NULL, proceed with
+      slayage if both are string-equal.
+    */
+
     if ((thd->security_ctx->master_access & SUPER_ACL) ||
-	!strcmp(thd->security_ctx->user, tmp->security_ctx->user))
+        thd->security_ctx->user_matches(tmp->security_ctx))
     {
       tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION);
       error=0;


Attachment: [text/bzr-bundle] bzr/azundris@mysql.com-20090325164234-m1kcvlykongvf75d.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (azundris:2842) Bug#43748Tatiana A. Nurnberg25 Mar