MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:antony Date:March 13 2007 6:58pm
Subject:bk commit into 5.1 tree (acurtis:1.2477) BUG#25671
View as plain text  
Below is the list of changes that have just been committed into a local
5.1 repository of antony. When antony does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-03-13 11:58:24-07:00, acurtis@stripped +3 -0
  Bug#25671
    "CREATE/DROP/ALTER SERVER should require privileges"
    Add check for SUPER privilege when executing CREATE/DROP/ALTER SERVER.
    Previously, any user even with only USAGE priv can execute those commands.

  mysql-test/r/federated_server.result@stripped, 2007-03-13 11:58:18-07:00, acurtis@stripped +85 -0
    Bug25671 - CREATE/DROP/ALTER SERVER should require privileges

  mysql-test/t/federated_server.test@stripped, 2007-03-13 11:58:18-07:00, acurtis@stripped +127 -0
    Bug25671 - CREATE/DROP/ALTER SERVER should require privileges

  sql/sql_parse.cc@stripped, 2007-03-13 11:58:18-07:00, acurtis@stripped +12 -0
    Bug25671 - CREATE/DROP/ALTER SERVER should require privileges
      Add check for SUPER privilege when executing CREATE/DROP/ALTER SERVER

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	acurtis
# Host:	ltamd64.xiphis.org
# Root:	/home/antony/work2/p1-bug25671.3

--- 1.641/sql/sql_parse.cc	2007-03-13 11:58:37 -07:00
+++ 1.642/sql/sql_parse.cc	2007-03-13 11:58:37 -07:00
@@ -4273,6 +4273,10 @@
     int error;
     LEX *lex= thd->lex;
     DBUG_PRINT("info", ("case SQLCOM_CREATE_SERVER"));
+
+    if (check_global_access(thd, SUPER_ACL))
+      break;
+
     if ((error= create_server(thd, &lex->server_options)))
     {
       DBUG_PRINT("info", ("problem creating server <%s>",
@@ -4288,6 +4292,10 @@
     int error;
     LEX *lex= thd->lex;
     DBUG_PRINT("info", ("case SQLCOM_ALTER_SERVER"));
+
+    if (check_global_access(thd, SUPER_ACL))
+      break;
+
     if ((error= alter_server(thd, &lex->server_options)))
     {
       DBUG_PRINT("info", ("problem altering server <%s>",
@@ -4303,6 +4311,10 @@
     int err_code;
     LEX *lex= thd->lex;
     DBUG_PRINT("info", ("case SQLCOM_DROP_SERVER"));
+
+    if (check_global_access(thd, SUPER_ACL))
+      break;
+
     if ((err_code= drop_server(thd, &lex->server_options)))
     {
       if (! lex->drop_if_exists && err_code == ER_FOREIGN_SERVER_EXISTS)

--- 1.5/mysql-test/r/federated_server.result	2007-03-13 11:58:37 -07:00
+++ 1.6/mysql-test/r/federated_server.result	2007-03-13 11:58:37 -07:00
@@ -104,6 +104,91 @@
 drop table second_db.t1;
 drop database first_db;
 drop database second_db;
+create database db_legitimate;
+create database db_bogus;
+use db_legitimate;
+CREATE TABLE db_legitimate.t1 (
+`id` int(20) NOT NULL,
+`name` varchar(64) NOT NULL default ''
+    );
+INSERT INTO db_legitimate.t1 VALUES ('1','this is legitimate');
+use db_bogus;
+CREATE TABLE db_bogus.t1 (
+`id` int(20) NOT NULL,
+`name` varchar(64) NOT NULL default ''
+    )
+;
+INSERT INTO db_bogus.t1 VALUES ('2','this is bogus');
+create server 's1' foreign data wrapper 'mysql' options
+(HOST '127.0.0.1',
+DATABASE 'db_legitimate',
+USER 'root',
+PASSWORD '',
+PORT SLAVE_PORT,
+SOCKET '',
+OWNER 'root');
+create user guest_select@localhost;
+grant select on federated.* to guest_select@localhost;
+create user guest_super@localhost;
+grant select,SUPER,RELOAD on *.* to guest_super@localhost;
+create user guest_usage@localhost;
+grant usage on *.* to guest_usage@localhost;
+CREATE TABLE federated.t1 (
+`id` int(20) NOT NULL,
+`name` varchar(64) NOT NULL default ''
+    ) ENGINE = FEDERATED CONNECTION = 's1';
+select * from federated.t1;
+id	name
+1	this is legitimate
+alter server s1 options (database 'db_bogus');
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
+flush tables;
+select * from federated.t1;
+id	name
+1	this is legitimate
+alter server s1 options (database 'db_bogus');
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
+flush tables;
+select * from federated.t1;
+id	name
+1	this is legitimate
+alter server s1 options (database 'db_bogus');
+flush tables;
+select * from federated.t1;
+id	name
+2	this is bogus
+drop server if exists 's1';
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
+create server 's1' foreign data wrapper 'mysql' options
+(HOST '127.0.0.1',
+DATABASE 'db_legitimate',
+USER 'root',
+PASSWORD '',
+PORT SLAVE_PORT,
+SOCKET '',
+OWNER 'root');
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
+drop server 's1';
+create server 's1' foreign data wrapper 'mysql' options
+(HOST '127.0.0.1',
+DATABASE 'db_legitimate',
+USER 'root',
+PASSWORD '',
+PORT SLAVE_PORT,
+SOCKET '',
+OWNER 'root');
+flush tables;
+select * from federated.t1;
+id	name
+1	this is legitimate
+drop database db_legitimate;
+drop database db_bogus;
+drop user guest_super@localhost;
+drop user guest_usage@localhost;
+drop user guest_select@localhost;
+drop table federated.t1;
+drop server 's1';
+# End of 5.1 tests
 DROP TABLE IF EXISTS federated.t1;
 DROP DATABASE IF EXISTS federated;
 DROP TABLE IF EXISTS federated.t1;

--- 1.4/mysql-test/t/federated_server.test	2007-03-13 11:58:37 -07:00
+++ 1.5/mysql-test/t/federated_server.test	2007-03-13 11:58:37 -07:00
@@ -107,4 +107,131 @@
 drop database first_db;
 drop database second_db;
 
+#
+# Bug#25671 - CREATE/DROP/ALTER SERVER should require privileges
+#
+# Changes to SERVER declarations should require SUPER privilege.
+# Based upon test case by Giuseppe Maxia
+
+create database db_legitimate;
+create database db_bogus;
+
+use db_legitimate;
+CREATE TABLE db_legitimate.t1 (
+    `id` int(20) NOT NULL,
+    `name` varchar(64) NOT NULL default ''
+    );
+INSERT INTO db_legitimate.t1 VALUES ('1','this is legitimate');
+
+use db_bogus;
+CREATE TABLE db_bogus.t1 (
+    `id` int(20) NOT NULL,
+    `name` varchar(64) NOT NULL default ''
+    )
+  ;
+INSERT INTO db_bogus.t1 VALUES ('2','this is bogus');
+
+connection master;
+--replace_result $SLAVE_MYPORT SLAVE_PORT
+eval create server 's1' foreign data wrapper 'mysql' options
+  (HOST '127.0.0.1',
+  DATABASE 'db_legitimate',
+  USER 'root',
+  PASSWORD '',
+  PORT $SLAVE_MYPORT,
+  SOCKET '',
+  OWNER 'root');
+
+create user guest_select@localhost;
+grant select on federated.* to guest_select@localhost;
+
+create user guest_super@localhost;
+grant select,SUPER,RELOAD on *.* to guest_super@localhost;
+
+create user guest_usage@localhost;
+grant usage on *.* to guest_usage@localhost;
+
+CREATE TABLE federated.t1 (
+    `id` int(20) NOT NULL,
+    `name` varchar(64) NOT NULL default ''
+    ) ENGINE = FEDERATED CONNECTION = 's1';
+
+select * from federated.t1;
+
+connect (conn_select,127.0.0.1,guest_select,,federated,$MASTER_MYPORT);
+connect (conn_usage,127.0.0.1,guest_usage,,,$MASTER_MYPORT);
+connect (conn_super,127.0.0.1,guest_super,,,$MASTER_MYPORT);
+
+connection conn_select;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+alter server s1 options (database 'db_bogus');
+
+connection master;
+flush tables;
+select * from federated.t1;
+
+connection conn_usage;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+alter server s1 options (database 'db_bogus');
+
+connection master;
+flush tables;
+select * from federated.t1;
+
+connection conn_super;
+alter server s1 options (database 'db_bogus');
+
+connection master;
+flush tables;
+select * from federated.t1;
+
+connection conn_select;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+drop server if exists 's1';
+--replace_result $SLAVE_MYPORT SLAVE_PORT
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+eval create server 's1' foreign data wrapper 'mysql' options
+  (HOST '127.0.0.1',
+  DATABASE 'db_legitimate',
+  USER 'root',
+  PASSWORD '',
+  PORT $SLAVE_MYPORT,
+  SOCKET '',
+  OWNER 'root');
+
+connection conn_super;
+drop server 's1';
+--replace_result $SLAVE_MYPORT SLAVE_PORT
+eval create server 's1' foreign data wrapper 'mysql' options
+  (HOST '127.0.0.1',
+  DATABASE 'db_legitimate',
+  USER 'root',
+  PASSWORD '',
+  PORT $SLAVE_MYPORT,
+  SOCKET '',
+  OWNER 'root');
+
+connection master;
+flush tables;
+select * from federated.t1;
+
+# clean up test
+connection slave;
+drop database db_legitimate;
+drop database db_bogus;
+
+disconnect conn_select;
+disconnect conn_usage;
+disconnect conn_super;
+
+connection master;
+drop user guest_super@localhost;
+drop user guest_usage@localhost;
+drop user guest_select@localhost;
+drop table federated.t1;
+drop server 's1';
+
+
+--echo # End of 5.1 tests
+
 source include/federated_cleanup.inc;
Thread
bk commit into 5.1 tree (acurtis:1.2477) BUG#25671antony13 Mar