1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

WL#2787 (Add view definer/owner to the view definition (.frm) to check privileges on used tables and stored routines when using a VIEW.)

Browse Source 
Part 2 postreview fixes.


sql/ha_innodb.cc:
  Renamed structure st_security_context to class Security_context
sql/item_func.cc:
  Renamed structure st_security_context to class Security_context
sql/item_strfunc.cc:
  fixed USER() function
sql/log.cc:
  variable used to optimize access to security context
sql/mysql_priv.h:
  Renamed structure st_security_context to class Security_context
sql/mysqld.cc:
  main security context used direcly
sql/sp_head.cc:
  Renamed structure st_security_context to class Security_context
  removed unneed variable
sql/sp_head.h:
  Comment inmroved
  Renamed structure st_security_context to class Security_context
sql/sql_acl.cc:
  Renamed structure st_security_context to class Security_context
  fixed function comment and return value
  variable used to optimize access to security context
  Renamed method of Security_ontext
sql/sql_acl.h:
  fixed return value type
sql/sql_class.cc:
  Renamed structure st_security_context to class Security_context
sql/sql_class.h:
  Renamed structure st_security_context to class Security_context
  Method renamed
sql/sql_db.cc:
  Renamed structure st_security_context to class Security_context
  fixed layout
sql/sql_parse.cc:
  registration of wanted access for underlying tables
sql/sql_show.cc:
  Renamed structure st_security_context to class Security_context
  fixed layout
sql/sql_yacc.yy:
  Renamed structure st_security_context to class Security_context
This commit is contained in:
unknown 2005-09-20 21:20:38 +03:00
parent 84f029a448
commit 3fe752f527
16 changed files with 151 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sql/ha_innodb.cc
View File

@ -563,7 +563,7 @@ innobase_mysql_print_thd(
use the default max length */
{
const THD* thd;
const st_security_context *sctx;
const Security_context *sctx;
const char* s;
thd = (const THD*) input_thd;

2
sql/item_func.cc
View File

@ -4713,7 +4713,7 @@ Item_func_sp::execute(Item **itp)
Sub_statement_state statement_state;
#ifndef NO_EMBEDDED_ACCESS_CHECKS
st_security_context *save_ctx;
Security_context *save_ctx;
#endif
if (! m_sp && ! (m_sp= sp_find_function(thd, m_name, TRUE)))

2
sql/item_strfunc.cc
View File

@ -1608,7 +1608,7 @@ String *Item_func_user::val_str(String *str)
else
{
user= thd->main_security_ctx.user;
host= thd->main_security_ctx.priv_host;
host= thd->main_security_ctx.host;
}
// For system threads (e.g. replication SQL thread) user may be empty

11
sql/log.cc
View File

@ -1915,6 +1915,7 @@ bool MYSQL_LOG::write(THD *thd,const char *query, uint query_length,
}
if (!(specialflag & SPECIAL_SHORT_LOG_FORMAT) || query_start_arg)
{
Security_context *sctx= thd->security_ctx;
current_time=time(NULL);
if (current_time != last_time)
{
@ -1935,11 +1936,11 @@ bool MYSQL_LOG::write(THD *thd,const char *query, uint query_length,
tmp_errno=errno;
}
if (my_b_printf(&log_file, "# User@Host: %s[%s] @ %s [%s]\n",
thd->security_ctx->priv_user ?
thd->security_ctx->priv_user : "",
thd->security_ctx->user ? thd->security_ctx->user : "",
thd->security_ctx->host ? thd->security_ctx->host : "",
thd->security_ctx->ip ? thd->security_ctx->ip : "") ==
sctx->priv_user ?
sctx->priv_user : "",
sctx->user ? sctx->user : "",
sctx->host ? sctx->host : "",
sctx->ip ? sctx->ip : "") ==
(uint) -1)
tmp_errno=errno;
}

4
sql/mysql_priv.h
View File

@ -484,7 +484,7 @@ typedef my_bool (*qc_engine_callback)(THD *thd, char *table_key,
#include "protocol.h"
#include "sql_udf.h"
class user_var_entry;
class st_security_context;
class Security_context;
enum enum_var_type
{
OPT_DEFAULT= 0, OPT_SESSION, OPT_GLOBAL
@ -516,7 +516,7 @@ bool delete_precheck(THD *thd, TABLE_LIST *tables);
bool insert_precheck(THD *thd, TABLE_LIST *tables);
bool create_table_precheck(THD *thd, TABLE_LIST *tables,
TABLE_LIST *create_table);
bool default_view_definer(st_security_context *sctx, st_lex_user *definer);
bool default_view_definer(Security_context *sctx, st_lex_user *definer);
enum enum_mysql_completiontype {

4
sql/mysqld.cc
View File

@ -777,8 +777,8 @@ static void close_connections(void)
if (global_system_variables.log_warnings)
sql_print_warning(ER(ER_FORCING_CLOSE),my_progname,
tmp->thread_id,
(tmp->security_ctx->user ?
tmp->security_ctx->user : ""));
(tmp->main_security_ctx.user ?
tmp->main_security_ctx.user : ""));
close_connection(tmp,0,0);
}
#endif

16
sql/sp_head.cc
View File

@ -2648,16 +2648,14 @@ sp_instr_error::print(String *str)
#ifndef NO_EMBEDDED_ACCESS_CHECKS
bool
sp_change_security_context(THD *thd, sp_head *sp, st_security_context **backup)
sp_change_security_context(THD *thd, sp_head *sp, Security_context **backup)
{
bool changed= (sp->m_chistics->suid != SP_IS_NOT_SUID &&
(strcmp(sp->m_definer_user.str,
thd->security_ctx->priv_user) ||
my_strcasecmp(system_charset_info, sp->m_definer_host.str,
thd->security_ctx->priv_host)));
*backup= 0;
if (changed)
if (sp->m_chistics->suid != SP_IS_NOT_SUID &&
(strcmp(sp->m_definer_user.str,
thd->security_ctx->priv_user) ||
my_strcasecmp(system_charset_info, sp->m_definer_host.str,
thd->security_ctx->priv_host)))
{
if (acl_getroot_no_password(&sp->m_security_ctx, sp->m_definer_user.str,
sp->m_definer_host.str,
@ -2675,7 +2673,7 @@ sp_change_security_context(THD *thd, sp_head *sp, st_security_context **backup)
}
void
sp_restore_security_context(THD *thd, st_security_context *backup)
sp_restore_security_context(THD *thd, Security_context *backup)
{
if (backup)
thd->security_ctx= backup;

11
sql/sp_head.h
View File

@ -151,8 +151,11 @@ public:
// Pointers set during parsing
uchar *m_param_begin, *m_param_end, *m_body_begin;
/* security context for SP procedure/function in case we switch it*/
st_security_context m_security_ctx;
/*
Security context for stored routine which should be run under
definer privileges.
*/
Security_context m_security_ctx;
static void *
operator new(size_t size);
@ -1023,9 +1026,9 @@ private:
#ifndef NO_EMBEDDED_ACCESS_CHECKS
bool
sp_change_security_context(THD *thd, sp_head *sp,
st_security_context **backup);
Security_context **backup);
void
sp_restore_security_context(THD *thd, st_security_context *backup);
sp_restore_security_context(THD *thd, Security_context *backup);
#endif /* NO_EMBEDDED_ACCESS_CHECKS */
TABLE_LIST *

68
sql/sql_acl.cc
View File

@ -719,7 +719,7 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
ulong user_access= NO_ACCESS;
int res= 1;
ACL_USER *acl_user= 0;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
DBUG_ENTER("acl_getroot");
if (!initialized)
@ -728,6 +728,7 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
here if mysqld's been started with --skip-grant-tables option.
*/
sctx->skip_grants();
bzero((char*) mqh, sizeof(*mqh));
DBUG_RETURN(0);
}
@ -906,13 +907,24 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
/*
* This is like acl_getroot() above, but it doesn't check password,
* and we don't care about the user resources.
* Used to get access rights for SQL SECURITY DEFINER invocation of
* stored procedures.
*/
int acl_getroot_no_password(st_security_context *sctx, char *user, char *host,
char *ip, char *db)
This is like acl_getroot() above, but it doesn't check password,
and we don't care about the user resources.
SYNOPSIS
acl_getroot_no_password()
sctx Context which should be initialized
user user name
host host name
ip IP
db current data base name
RETURN
FALSE OK
TRUE Error
*/
bool acl_getroot_no_password(Security_context *sctx, char *user, char *host,
char *ip, char *db)
{
int res= 1;
uint i;
@ -930,7 +942,7 @@ int acl_getroot_no_password(st_security_context *sctx, char *user, char *host,
here if mysqld's been started with --skip-grant-tables option.
*/
sctx->skip_grants();
DBUG_RETURN(0);
DBUG_RETURN(FALSE);
}
VOID(pthread_mutex_lock(&acl_cache->lock));
@ -1649,7 +1661,7 @@ static bool update_user_table(THD *thd, TABLE *table,
static bool test_if_create_new_users(THD *thd)
{
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
bool create_new_users= test(sctx->master_access & INSERT_ACL) ||
(!opt_safe_user_create &&
test(sctx->master_access & CREATE_USER_ACL));
@ -3493,7 +3505,7 @@ bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
uint show_table, uint number, bool no_errors)
{
TABLE_LIST *table;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
DBUG_ENTER("check_grant");
DBUG_ASSERT(number > 0);
@ -3563,7 +3575,7 @@ bool check_grant_column(THD *thd, GRANT_INFO *grant,
const char *db_name, const char *table_name,
const char *name, uint length, uint show_tables)
{
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
GRANT_TABLE *grant_table;
GRANT_COLUMN *grant_column;
ulong want_access= grant->want_privilege & ~grant->privilege;
@ -3623,7 +3635,7 @@ bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant,
const char* db_name, const char *table_name,
Field_iterator *fields)
{
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
GRANT_TABLE *grant_table;
GRANT_COLUMN *grant_column;
@ -3683,7 +3695,7 @@ err2:
bool check_grant_db(THD *thd,const char *db)
{
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
char helping [NAME_LEN+USERNAME_LENGTH+2];
uint len;
bool error= 1;
@ -3729,7 +3741,7 @@ bool check_grant_routine(THD *thd, ulong want_access,
TABLE_LIST *procs, bool is_proc, bool no_errors)
{
TABLE_LIST *table;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
char *user= sctx->priv_user;
char *host= sctx->priv_host;
DBUG_ENTER("check_grant_routine");
@ -3797,10 +3809,11 @@ bool check_routine_level_acl(THD *thd, const char *db, const char *name,
if (grant_option)
{
GRANT_NAME *grant_proc;
Security_context *sctx= thd->security_ctx;
rw_rdlock(&LOCK_grant);
if ((grant_proc= routine_hash_search(thd->security_ctx->priv_host,
thd->security_ctx->ip, db,
thd->security_ctx->priv_user,
if ((grant_proc= routine_hash_search(sctx->priv_host,
sctx->ip, db,
sctx->priv_user,
name, is_proc, 0)))
no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS);
rw_unlock(&LOCK_grant);
@ -3816,7 +3829,7 @@ bool check_routine_level_acl(THD *thd, const char *db, const char *name,
ulong get_table_grant(THD *thd, TABLE_LIST *table)
{
ulong privilege;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
const char *db = table->db ? table->db : thd->db;
GRANT_TABLE *grant_table;
@ -3867,9 +3880,10 @@ ulong get_column_grant(THD *thd, GRANT_INFO *grant,
/* reload table if someone has modified any grants */
if (grant->version != grant_version)
{
Security_context *sctx= thd->security_ctx;
grant->grant_table=
table_hash_search(thd->security_ctx->host, thd->security_ctx->ip,
db_name, thd->security_ctx->priv_user,
table_hash_search(sctx->host, sctx->ip,
db_name, sctx->priv_user,
table_name, 0); /* purecov: inspected */
grant->version= grant_version; /* purecov: inspected */
}
@ -5439,7 +5453,7 @@ bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name,
bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
bool is_proc)
{
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
LEX_USER *combo;
TABLE_LIST tables[1];
List<LEX_USER> user_list;
@ -5573,7 +5587,7 @@ int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
char buff[100];
TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0);
char *curr_host= thd->security_ctx->get_priv_host();
char *curr_host= thd->security_ctx->priv_host_name();
DBUG_ENTER("fill_schema_user_privileges");
for (counter=0 ; counter < acl_users.elements ; counter++)
@ -5626,7 +5640,7 @@ int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
char buff[100];
TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0);
char *curr_host= thd->security_ctx->get_priv_host();
char *curr_host= thd->security_ctx->priv_host_name();
DBUG_ENTER("fill_schema_schema_privileges");
for (counter=0 ; counter < acl_dbs.elements ; counter++)
@ -5681,7 +5695,7 @@ int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
char buff[100];
TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0);
char *curr_host= thd->security_ctx->get_priv_host();
char *curr_host= thd->security_ctx->priv_host_name();
DBUG_ENTER("fill_schema_table_privileges");
for (index=0 ; index < column_priv_hash.records ; index++)
@ -5743,7 +5757,7 @@ int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
char buff[100];
TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0);
char *curr_host= thd->security_ctx->get_priv_host();
char *curr_host= thd->security_ctx->priv_host_name();
DBUG_ENTER("fill_schema_table_privileges");
for (index=0 ; index < column_priv_hash.records ; index++)
@ -5819,7 +5833,7 @@ int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
const char *db, const char *table)
{
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
/* --skip-grants */
if (!initialized)
{

4
sql/sql_acl.h
View File

@ -181,8 +181,8 @@ ulong acl_get(const char *host, const char *ip,
const char *user, const char *db, my_bool db_is_pattern);
int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
uint passwd_len);
int acl_getroot_no_password(st_security_context *sctx, char *user, char *host,
char *ip, char *db);
bool acl_getroot_no_password(Security_context *sctx, char *user, char *host,
char *ip, char *db);
bool acl_check_host(const char *host, const char *ip);
bool check_change_password(THD *thd, const char *host, const char *user,
char *password, uint password_len);

6
sql/sql_class.cc
View File

@ -1822,7 +1822,7 @@ void THD::set_status_var_init()
}
void st_security_context::init()
void Security_context::init()
{
host= user= priv_user= ip= 0;
host_or_ip= "connecting host";
@ -1832,7 +1832,7 @@ void st_security_context::init()
}
void st_security_context::destroy()
void Security_context::destroy()
{
// If not pointer to constant
if (host != my_localhost)
@ -1843,7 +1843,7 @@ void st_security_context::destroy()
}
void st_security_context::skip_grants()
void Security_context::skip_grants()
{
/* privileges for the user are unknown everything is allowed */
host_or_ip= (char *)"";

12
sql/sql_class.h
View File

@ -942,15 +942,17 @@ bool xid_cache_insert(XID_STATE *xid_state);
void xid_cache_delete(XID_STATE *xid_state);
struct st_security_context {
class Security_context {
public:
/*
host - host of the client
user - user of the client, set to NULL until the user has been read from
the connection
priv_user - The user privilege we are using. May be '' for anonymous user.
priv_user - The user privilege we are using. May be "" for anonymous user.
ip - client IP
*/
char *host, *user, *priv_user, *ip;
/* The host privilege we are using */
char priv_host[MAX_HOSTNAME];
/* points to host if host is available, otherwise points to ip */
const char *host_or_ip;
@ -960,7 +962,7 @@ struct st_security_context {
void init();
void destroy();
void skip_grants();
inline char *get_priv_host()
inline char *priv_host_name()
{
return (*priv_host ? priv_host : (char *)"%");
}
@ -1150,8 +1152,8 @@ public:
the slave SQL thread, in sql/slave.cc.
*/
char *db, *catalog;
st_security_context main_security_ctx;
st_security_context *security_ctx;
Security_context main_security_ctx;
Security_context *security_ctx;
/* remote (peer) port */
uint16 peer_port;

6
sql/sql_db.cc
View File

@ -1093,7 +1093,7 @@ bool mysql_change_db(THD *thd, const char *name, bool no_access_check)
bool system_db= 0;
#ifndef NO_EMBEDDED_ACCESS_CHECKS
ulong db_access;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
#endif
DBUG_ENTER("mysql_change_db");
DBUG_PRINT("enter",("name: '%s'",name));
@ -1131,7 +1131,7 @@ bool mysql_change_db(THD *thd, const char *name, bool no_access_check)
#ifndef NO_EMBEDDED_ACCESS_CHECKS
if (!no_access_check)
{
if (test_all_bits(sctx->master_access,DB_ACLS))
if (test_all_bits(sctx->master_access, DB_ACLS))
db_access=DB_ACLS;
else
db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname, 0) |
@ -1166,7 +1166,7 @@ end:
thd->db_length=db_length;
#ifndef NO_EMBEDDED_ACCESS_CHECKS
if (!no_access_check)
sctx->db_access=db_access;
sctx->db_access= db_access;
#endif
if (system_db)
{

105
sql/sql_parse.cc
View File

@ -270,11 +270,10 @@ int check_user(THD *thd, enum enum_server_command command,
const char *passwd, uint passwd_len, const char *db,
bool check_count)
{
st_security_context *sctx= thd->security_ctx;
DBUG_ENTER("check_user");
#ifdef NO_EMBEDDED_ACCESS_CHECKS
sctx->master_access= GLOBAL_ACLS; // Full rights
thd->ain_security_ctx.master_access= GLOBAL_ACLS; // Full rights
/* Change database if necessary */
if (db && db[0])
{
@ -341,15 +340,17 @@ int check_user(THD *thd, enum enum_server_command command,
if (opt_secure_auth_local)
{
net_printf_error(thd, ER_SERVER_IS_IN_SECURE_AUTH_MODE,
sctx->user, sctx->host_or_ip);
thd->main_security_ctx.user,
thd->main_security_ctx.host_or_ip);
mysql_log.write(thd, COM_CONNECT, ER(ER_SERVER_IS_IN_SECURE_AUTH_MODE),
sctx->user, sctx->host_or_ip);
thd->main_security_ctx.user,
thd->main_security_ctx.host_or_ip);
DBUG_RETURN(-1);
}
/* We have to read very specific packet size */
if (send_old_password_request(thd) ||
my_net_read(net) != SCRAMBLE_LENGTH_323 + 1)
{
{
inc_host_errors(&thd->remote.sin_addr);
DBUG_RETURN(ER_HANDSHAKE_ERROR);
}
@ -361,22 +362,27 @@ int check_user(THD *thd, enum enum_server_command command,
/* here res is always >= 0 */
if (res == 0)
{
if (!(sctx->master_access & NO_ACCESS)) // authentication is OK
if (!(thd->main_security_ctx.master_access &
NO_ACCESS)) // authentication is OK
{
DBUG_PRINT("info",
("Capabilities: %d packet_length: %ld Host: '%s' "
"Login user: '%s' Priv_user: '%s' Using password: %s "
"Access: %u db: '%s'",
thd->client_capabilities, thd->max_client_packet_length,
sctx->host_or_ip, sctx->user, sctx->priv_user,
thd->client_capabilities,
thd->max_client_packet_length,
thd->main_security_ctx.host_or_ip,
thd->main_security_ctx.user,
thd->main_security_ctx.priv_user,
passwd_len ? "yes": "no",
sctx->master_access, thd->db ? thd->db : "*none*"));
thd->main_security_ctx.master_access,
(thd->db ? thd->db : "*none*")));
if (check_count)
{
VOID(pthread_mutex_lock(&LOCK_thread_count));
bool count_ok= thread_count <= max_connections + delayed_insert_threads
|| (sctx->master_access & SUPER_ACL);
|| (thd->main_security_ctx.master_access & SUPER_ACL);
VOID(pthread_mutex_unlock(&LOCK_thread_count));
if (!count_ok)
{ // too many connections
@ -387,10 +393,12 @@ int check_user(THD *thd, enum enum_server_command command,
/* Why logging is performed before all checks've passed? */
mysql_log.write(thd, command,
(sctx->priv_user == sctx->user ?
(thd->main_security_ctx.priv_user ==
thd->main_security_ctx.user ?
(char*) "%s@%s on %s" :
(char*) "%s@%s as anonymous on %s"),
sctx->user, sctx->host_or_ip,
thd->main_security_ctx.user,
thd->main_security_ctx.host_or_ip,
db ? db : (char*) "");
/*
@ -398,14 +406,16 @@ int check_user(THD *thd, enum enum_server_command command,
set to 0 here because we don't have an active database yet (and we
may not have an active database to set.
*/
sctx->db_access=0;
thd->main_security_ctx.db_access=0;
/* Don't allow user to connect if he has done too many queries */
if ((ur.questions || ur.updates || ur.conn_per_hour || ur.user_conn ||
max_user_connections) &&
get_or_create_user_conn(thd,
(opt_old_style_user_limits ? sctx->user : sctx->priv_user),
(opt_old_style_user_limits ? sctx->host_or_ip : sctx->priv_host),
(opt_old_style_user_limits ? thd->main_security_ctx.user :
thd->main_security_ctx.priv_user),
(opt_old_style_user_limits ? thd->main_security_ctx.host_or_ip :
thd->main_security_ctx.priv_host),
&ur))
DBUG_RETURN(-1);
if (thd->user_connect &&
@ -440,12 +450,12 @@ int check_user(THD *thd, enum enum_server_command command,
DBUG_RETURN(-1);
}
net_printf_error(thd, ER_ACCESS_DENIED_ERROR,
sctx->user,
sctx->host_or_ip,
thd->main_security_ctx.user,
thd->main_security_ctx.host_or_ip,
passwd_len ? ER(ER_YES) : ER(ER_NO));
mysql_log.write(thd, COM_CONNECT, ER(ER_ACCESS_DENIED_ERROR),
sctx->user,
sctx->host_or_ip,
thd->main_security_ctx.user,
thd->main_security_ctx.host_or_ip,
passwd_len ? ER(ER_YES) : ER(ER_NO));
DBUG_RETURN(-1);
#endif /* NO_EMBEDDED_ACCESS_CHECKS */
@ -765,46 +775,49 @@ static int check_connection(THD *thd)
NET *net= &thd->net;
ulong pkt_len= 0;
char *end;
st_security_context *sctx= thd->security_ctx;
DBUG_PRINT("info",
("New connection received on %s", vio_description(net->vio)));
if (!sctx->host) // If TCP/IP connection
if (!thd->main_security_ctx.host) // If TCP/IP connection
{
char ip[30];
if (vio_peer_addr(net->vio, ip, &thd->peer_port))
return (ER_BAD_HOST_ERROR);
if (!(sctx->ip= my_strdup(ip,MYF(0))))
if (!(thd->main_security_ctx.ip= my_strdup(ip,MYF(0))))
return (ER_OUT_OF_RESOURCES);
sctx->host_or_ip= sctx->ip;
thd->main_security_ctx.host_or_ip= thd->main_security_ctx.ip;
vio_in_addr(net->vio,&thd->remote.sin_addr);
if (!(specialflag & SPECIAL_NO_RESOLVE))
{
vio_in_addr(net->vio,&thd->remote.sin_addr);
sctx->host=ip_to_hostname(&thd->remote.sin_addr,&connect_errors);
thd->main_security_ctx.host=
ip_to_hostname(&thd->remote.sin_addr, &connect_errors);
/* Cut very long hostnames to avoid possible overflows */
if (sctx->host)
if (thd->main_security_ctx.host)
{
if (sctx->host != my_localhost)
sctx->host[min(strlen(sctx->host), HOSTNAME_LENGTH)]= 0;
sctx->host_or_ip= sctx->host;
if (thd->main_security_ctx.host != my_localhost)
thd->main_security_ctx.host[min(strlen(thd->main_security_ctx.host),
HOSTNAME_LENGTH)]= 0;
thd->main_security_ctx.host_or_ip= thd->main_security_ctx.host;
}
if (connect_errors > max_connect_errors)
return(ER_HOST_IS_BLOCKED);
}
DBUG_PRINT("info",("Host: %s ip: %s",
sctx->host ? sctx->host : "unknown host",
sctx->ip ? sctx->ip : "unknown ip"));
if (acl_check_host(sctx->host, sctx->ip))
(thd->main_security_ctx.host ?
thd->main_security_ctx.host : "unknown host"),
(thd->main_security_ctx.ip ?
thd->main_security_ctx.ip : "unknown ip")));
if (acl_check_host(thd->main_security_ctx.host, thd->main_security_ctx.ip))
return(ER_HOST_NOT_PRIVILEGED);
}
else /* Hostname given means that the connection was on a socket */
{
DBUG_PRINT("info",("Host: %s", sctx->host));
sctx->host_or_ip= sctx->host;
sctx->ip= 0;
DBUG_PRINT("info",("Host: %s", thd->main_security_ctx.host));
thd->main_security_ctx.host_or_ip= thd->main_security_ctx.host;
thd->main_security_ctx.ip= 0;
/* Reset sin_addr */
bzero((char*) &thd->remote, sizeof(thd->remote));
}
@ -987,9 +1000,9 @@ static int check_connection(THD *thd)
thd->charset(), &dummy_errors)]= '\0';
user= user_buff;
if (sctx->user)
x_free(sctx->user);
if (!(sctx->user= my_strdup(user, MYF(0))))
if (thd->main_security_ctx.user)
x_free(thd->main_security_ctx.user);
if (!(thd->main_security_ctx.user= my_strdup(user, MYF(0))))
return (ER_OUT_OF_RESOURCES);
return check_user(thd, COM_CONNECT, passwd, passwd_len, db, TRUE);
}
@ -1077,7 +1090,7 @@ pthread_handler_decl(handle_one_connection,arg)
{
int error;
NET *net= &thd->net;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
thd->thread_stack= (char*) &thd;
net->no_send_error= 0;
@ -1592,7 +1605,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
/* Save user and privileges */
uint save_db_length= thd->db_length;
char *save_db= thd->db;
st_security_context save_security_ctx= *thd->security_ctx;
Security_context save_security_ctx= *thd->security_ctx;
USER_CONN *save_user_connect= thd->user_connect;
if (!(thd->security_ctx->user= my_strdup(user, MYF(0))))
@ -4143,7 +4156,7 @@ end_with_restore_list:
else
{
#ifndef NO_EMBEDDED_ACCESS_CHECKS
st_security_context *save_ctx;
Security_context *save_ctx;
#endif
ha_rows select_limit;
/* bits that should be cleared in thd->server_status */
@ -4807,7 +4820,7 @@ bool
check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
bool dont_check_global_grants, bool no_errors, bool schema_db)
{
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
#ifndef NO_EMBEDDED_ACCESS_CHECKS
ulong db_access;
bool db_is_pattern= test(want_access & GRANT_ACL);
@ -4838,8 +4851,8 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
{
if (!no_errors)
my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
thd->security_ctx->priv_user,
thd->security_ctx->priv_host, db_name);
sctx->priv_user,
sctx->priv_host, db_name);
DBUG_RETURN(TRUE);
}
else
@ -5245,7 +5258,7 @@ void mysql_reset_thd_for_next_command(THD *thd)
thd->server_status&= ~ (SERVER_MORE_RESULTS_EXISTS |
SERVER_QUERY_NO_INDEX_USED |
SERVER_QUERY_NO_GOOD_INDEX_USED);
thd->security_ctx= &thd->main_security_ctx;
DBUG_ASSERT(thd->security_ctx== &thd->main_security_ctx);
thd->tmp_table_used= 0;
if (!thd->in_sub_stmt)
{
@ -7396,7 +7409,7 @@ Item *negate_expression(THD *thd, Item *expr)
SYNOPSIS
default_definer()
thd thread handler
Secytity_context current decurity context
definer structure where it should be assigned
RETURN
@ -7404,7 +7417,7 @@ Item *negate_expression(THD *thd, Item *expr)
TRUE Error
*/
bool default_view_definer(st_security_context *sctx, st_lex_user *definer)
bool default_view_definer(Security_context *sctx, st_lex_user *definer)
{
definer->user.str= sctx->priv_user;
definer->user.length= strlen(sctx->priv_user);

14
sql/sql_show.cc
View File

@ -415,7 +415,7 @@ mysqld_show_create(THD *thd, TABLE_LIST *table_list)
bool mysqld_show_create_db(THD *thd, char *dbname,
HA_CREATE_INFO *create_info)
{
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
int length;
char path[FN_REFLEN];
char buff[2048];
@ -436,7 +436,7 @@ bool mysqld_show_create_db(THD *thd, char *dbname,
}
#ifndef NO_EMBEDDED_ACCESS_CHECKS
if (test_all_bits(sctx->master_access,DB_ACLS))
if (test_all_bits(sctx->master_access, DB_ACLS))
db_access=DB_ACLS;
else
db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname, 0) |
@ -1186,7 +1186,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose)
THD *tmp;
while ((tmp=it++))
{
st_security_context *tmp_sctx= tmp->security_ctx;
Security_context *tmp_sctx= tmp->security_ctx;
struct st_my_thread_var *mysys_var;
if ((tmp->vio_ok() || tmp->system_thread) &&
(!user || (tmp_sctx->user && !strcmp(tmp_sctx->user, user))))
@ -1205,7 +1205,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose)
"%s:%u", tmp_sctx->host_or_ip, tmp->peer_port);
}
else
thd_info->host= thd->strdup(tmp_sctx->host_or_ip);
thd_info->host= thd->strdup(tmp_sctx->host);
if ((thd_info->db=tmp->db)) // Safe test
thd_info->db=thd->strdup(thd_info->db);
thd_info->command=(int) tmp->command;
@ -1257,7 +1257,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose)
thread_info *thd_info;
#ifndef NO_EMBEDDED_ACCESS_CHECKS
st_security_context *sctx;
Security_context *sctx;
#endif
time_t now= time(0);
while ((thd_info=thread_infos.get()))
@ -1996,7 +1996,7 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond)
List<char> bases;
List_iterator_fast<char> it(bases);
COND *partial_cond;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
uint derived_tables= lex->derived_tables;
int error= 1;
Open_tables_state open_tables_state_backup;
@ -2201,7 +2201,7 @@ int fill_schema_shemata(THD *thd, TABLE_LIST *tables, COND *cond)
bool with_i_schema;
HA_CREATE_INFO create;
TABLE *table= tables->table;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
DBUG_ENTER("fill_schema_shemata");
if (make_db_list(thd, &files, &idx_field_vals,

4
sql/sql_yacc.yy
View File

@ -6554,7 +6554,7 @@ show_param:
LEX *lex=Lex;
lex->sql_command= SQLCOM_SHOW_GRANTS;
THD *thd= lex->thd;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
LEX_USER *curr_user;
if (!(curr_user= (LEX_USER*) thd->alloc(sizeof(st_lex_user))))
YYABORT;
@ -7464,7 +7464,7 @@ user:
| CURRENT_USER optional_braces
{
THD *thd= YYTHD;
st_security_context *sctx= thd->security_ctx;
Security_context *sctx= thd->security_ctx;
if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user))))
YYABORT;
$$->user.str= sctx->priv_user;