1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

WL#2787 (Add view definer/owner to the view definition (.frm) to check privileges on used tables and stored routines when using a VIEW.)

Browse Source 
Part 2 postreview fixes.


sql/ha_innodb.cc:
  Renamed structure st_security_context to class Security_context
sql/item_func.cc:
  Renamed structure st_security_context to class Security_context
sql/item_strfunc.cc:
  fixed USER() function
sql/log.cc:
  variable used to optimize access to security context
sql/mysql_priv.h:
  Renamed structure st_security_context to class Security_context
sql/mysqld.cc:
  main security context used direcly
sql/sp_head.cc:
  Renamed structure st_security_context to class Security_context
  removed unneed variable
sql/sp_head.h:
  Comment inmroved
  Renamed structure st_security_context to class Security_context
sql/sql_acl.cc:
  Renamed structure st_security_context to class Security_context
  fixed function comment and return value
  variable used to optimize access to security context
  Renamed method of Security_ontext
sql/sql_acl.h:
  fixed return value type
sql/sql_class.cc:
  Renamed structure st_security_context to class Security_context
sql/sql_class.h:
  Renamed structure st_security_context to class Security_context
  Method renamed
sql/sql_db.cc:
  Renamed structure st_security_context to class Security_context
  fixed layout
sql/sql_parse.cc:
  registration of wanted access for underlying tables
sql/sql_show.cc:
  Renamed structure st_security_context to class Security_context
  fixed layout
sql/sql_yacc.yy:
  Renamed structure st_security_context to class Security_context
This commit is contained in:
unknown 2005-09-20 21:20:38 +03:00
parent 84f029a448
commit 3fe752f527
16 changed files with 151 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sql/ha_innodb.cc
View File

@ -563,7 +563,7 @@ innobase_mysql_print_thd(
use the default max length */ use the default max length */
{ {
const THD* thd; const THD* thd;
const st_security_context *sctx; const Security_context *sctx;
const char* s; const char* s;
thd = (const THD*) input_thd; thd = (const THD*) input_thd;

2
sql/item_func.cc
View File

@ -4713,7 +4713,7 @@ Item_func_sp::execute(Item **itp)
Sub_statement_state statement_state; Sub_statement_state statement_state;
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
st_security_context *save_ctx; Security_context *save_ctx;
#endif #endif
if (! m_sp && ! (m_sp= sp_find_function(thd, m_name, TRUE))) if (! m_sp && ! (m_sp= sp_find_function(thd, m_name, TRUE)))

2
sql/item_strfunc.cc
View File

@ -1608,7 +1608,7 @@ String *Item_func_user::val_str(String *str)
else else
{ {
user= thd->main_security_ctx.user; user= thd->main_security_ctx.user;
host= thd->main_security_ctx.priv_host; host= thd->main_security_ctx.host;
} }
// For system threads (e.g. replication SQL thread) user may be empty // For system threads (e.g. replication SQL thread) user may be empty

11
sql/log.cc
View File

@ -1915,6 +1915,7 @@ bool MYSQL_LOG::write(THD *thd,const char *query, uint query_length,
} }
if (!(specialflag & SPECIAL_SHORT_LOG_FORMAT) || query_start_arg) if (!(specialflag & SPECIAL_SHORT_LOG_FORMAT) || query_start_arg)
{ {
Security_context *sctx= thd->security_ctx;
current_time=time(NULL); current_time=time(NULL);
if (current_time != last_time) if (current_time != last_time)
{ {
@ -1935,11 +1936,11 @@ bool MYSQL_LOG::write(THD *thd,const char *query, uint query_length,
tmp_errno=errno; tmp_errno=errno;
} }
if (my_b_printf(&log_file, "# User@Host: %s[%s] @ %s [%s]\n", if (my_b_printf(&log_file, "# User@Host: %s[%s] @ %s [%s]\n",
thd->security_ctx->priv_user ? sctx->priv_user ?
thd->security_ctx->priv_user : "", sctx->priv_user : "",
thd->security_ctx->user ? thd->security_ctx->user : "", sctx->user ? sctx->user : "",
thd->security_ctx->host ? thd->security_ctx->host : "", sctx->host ? sctx->host : "",
thd->security_ctx->ip ? thd->security_ctx->ip : "") == sctx->ip ? sctx->ip : "") ==
(uint) -1) (uint) -1)
tmp_errno=errno; tmp_errno=errno;
} }

4
sql/mysql_priv.h
View File

@ -484,7 +484,7 @@ typedef my_bool (*qc_engine_callback)(THD *thd, char *table_key,
#include "protocol.h" #include "protocol.h"
#include "sql_udf.h" #include "sql_udf.h"
class user_var_entry; class user_var_entry;
class st_security_context; class Security_context;
enum enum_var_type enum enum_var_type
{ {
OPT_DEFAULT= 0, OPT_SESSION, OPT_GLOBAL OPT_DEFAULT= 0, OPT_SESSION, OPT_GLOBAL
@ -516,7 +516,7 @@ bool delete_precheck(THD *thd, TABLE_LIST *tables);
bool insert_precheck(THD *thd, TABLE_LIST *tables); bool insert_precheck(THD *thd, TABLE_LIST *tables);
bool create_table_precheck(THD *thd, TABLE_LIST *tables, bool create_table_precheck(THD *thd, TABLE_LIST *tables,
TABLE_LIST *create_table); TABLE_LIST *create_table);
bool default_view_definer(st_security_context *sctx, st_lex_user *definer); bool default_view_definer(Security_context *sctx, st_lex_user *definer);
enum enum_mysql_completiontype { enum enum_mysql_completiontype {

4
sql/mysqld.cc
View File

@ -777,8 +777,8 @@ static void close_connections(void)
if (global_system_variables.log_warnings) if (global_system_variables.log_warnings)
sql_print_warning(ER(ER_FORCING_CLOSE),my_progname, sql_print_warning(ER(ER_FORCING_CLOSE),my_progname,
tmp->thread_id, tmp->thread_id,
(tmp->security_ctx->user ? (tmp->main_security_ctx.user ?
tmp->security_ctx->user : "")); tmp->main_security_ctx.user : ""));
close_connection(tmp,0,0); close_connection(tmp,0,0);
} }
#endif #endif

12
sql/sp_head.cc
View File

@ -2648,16 +2648,14 @@ sp_instr_error::print(String *str)
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
bool bool
sp_change_security_context(THD *thd, sp_head *sp, st_security_context **backup) sp_change_security_context(THD *thd, sp_head *sp, Security_context **backup)
{ {
bool changed= (sp->m_chistics->suid != SP_IS_NOT_SUID && *backup= 0;
if (sp->m_chistics->suid != SP_IS_NOT_SUID &&
(strcmp(sp->m_definer_user.str, (strcmp(sp->m_definer_user.str,
thd->security_ctx->priv_user) || thd->security_ctx->priv_user) ||
my_strcasecmp(system_charset_info, sp->m_definer_host.str, my_strcasecmp(system_charset_info, sp->m_definer_host.str,
thd->security_ctx->priv_host))); thd->security_ctx->priv_host)))
*backup= 0;
if (changed)
{ {
if (acl_getroot_no_password(&sp->m_security_ctx, sp->m_definer_user.str, if (acl_getroot_no_password(&sp->m_security_ctx, sp->m_definer_user.str,
sp->m_definer_host.str, sp->m_definer_host.str,
@ -2675,7 +2673,7 @@ sp_change_security_context(THD *thd, sp_head *sp, st_security_context **backup)
} }
void void
sp_restore_security_context(THD *thd, st_security_context *backup) sp_restore_security_context(THD *thd, Security_context *backup)
{ {
if (backup) if (backup)
thd->security_ctx= backup; thd->security_ctx= backup;

11
sql/sp_head.h
View File

@ -151,8 +151,11 @@ public:
// Pointers set during parsing // Pointers set during parsing
uchar *m_param_begin, *m_param_end, *m_body_begin; uchar *m_param_begin, *m_param_end, *m_body_begin;
/* security context for SP procedure/function in case we switch it*/ /*
st_security_context m_security_ctx; Security context for stored routine which should be run under
definer privileges.
*/
Security_context m_security_ctx;
static void * static void *
operator new(size_t size); operator new(size_t size);
@ -1023,9 +1026,9 @@ private:
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
bool bool
sp_change_security_context(THD *thd, sp_head *sp, sp_change_security_context(THD *thd, sp_head *sp,
st_security_context **backup); Security_context **backup);
void void
sp_restore_security_context(THD *thd, st_security_context *backup); sp_restore_security_context(THD *thd, Security_context *backup);
#endif /* NO_EMBEDDED_ACCESS_CHECKS */ #endif /* NO_EMBEDDED_ACCESS_CHECKS */
TABLE_LIST * TABLE_LIST *

64
sql/sql_acl.cc
View File

@ -719,7 +719,7 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
ulong user_access= NO_ACCESS; ulong user_access= NO_ACCESS;
int res= 1; int res= 1;
ACL_USER *acl_user= 0; ACL_USER *acl_user= 0;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
DBUG_ENTER("acl_getroot"); DBUG_ENTER("acl_getroot");
if (!initialized) if (!initialized)
@ -728,6 +728,7 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
here if mysqld's been started with --skip-grant-tables option. here if mysqld's been started with --skip-grant-tables option.
*/ */
sctx->skip_grants(); sctx->skip_grants();
bzero((char*) mqh, sizeof(*mqh));
DBUG_RETURN(0); DBUG_RETURN(0);
} }
@ -906,12 +907,23 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
/* /*
* This is like acl_getroot() above, but it doesn't check password, This is like acl_getroot() above, but it doesn't check password,
* and we don't care about the user resources. and we don't care about the user resources.
* Used to get access rights for SQL SECURITY DEFINER invocation of
* stored procedures. SYNOPSIS
acl_getroot_no_password()
sctx Context which should be initialized
user user name
host host name
ip IP
db current data base name
RETURN
FALSE OK
TRUE Error
*/ */
int acl_getroot_no_password(st_security_context *sctx, char *user, char *host,
bool acl_getroot_no_password(Security_context *sctx, char *user, char *host,
char *ip, char *db) char *ip, char *db)
{ {
int res= 1; int res= 1;
@ -930,7 +942,7 @@ int acl_getroot_no_password(st_security_context *sctx, char *user, char *host,
here if mysqld's been started with --skip-grant-tables option. here if mysqld's been started with --skip-grant-tables option.
*/ */
sctx->skip_grants(); sctx->skip_grants();
DBUG_RETURN(0); DBUG_RETURN(FALSE);
} }
VOID(pthread_mutex_lock(&acl_cache->lock)); VOID(pthread_mutex_lock(&acl_cache->lock));
@ -1649,7 +1661,7 @@ static bool update_user_table(THD *thd, TABLE *table,
static bool test_if_create_new_users(THD *thd) static bool test_if_create_new_users(THD *thd)
{ {
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
bool create_new_users= test(sctx->master_access & INSERT_ACL) || bool create_new_users= test(sctx->master_access & INSERT_ACL) ||
(!opt_safe_user_create && (!opt_safe_user_create &&
test(sctx->master_access & CREATE_USER_ACL)); test(sctx->master_access & CREATE_USER_ACL));
@ -3493,7 +3505,7 @@ bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
uint show_table, uint number, bool no_errors) uint show_table, uint number, bool no_errors)
{ {
TABLE_LIST *table; TABLE_LIST *table;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
DBUG_ENTER("check_grant"); DBUG_ENTER("check_grant");
DBUG_ASSERT(number > 0); DBUG_ASSERT(number > 0);
@ -3563,7 +3575,7 @@ bool check_grant_column(THD *thd, GRANT_INFO *grant,
const char *db_name, const char *table_name, const char *db_name, const char *table_name,
const char *name, uint length, uint show_tables) const char *name, uint length, uint show_tables)
{ {
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
GRANT_TABLE *grant_table; GRANT_TABLE *grant_table;
GRANT_COLUMN *grant_column; GRANT_COLUMN *grant_column;
ulong want_access= grant->want_privilege & ~grant->privilege; ulong want_access= grant->want_privilege & ~grant->privilege;
@ -3623,7 +3635,7 @@ bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant,
const char* db_name, const char *table_name, const char* db_name, const char *table_name,
Field_iterator *fields) Field_iterator *fields)
{ {
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
GRANT_TABLE *grant_table; GRANT_TABLE *grant_table;
GRANT_COLUMN *grant_column; GRANT_COLUMN *grant_column;
@ -3683,7 +3695,7 @@ err2:
bool check_grant_db(THD *thd,const char *db) bool check_grant_db(THD *thd,const char *db)
{ {
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
char helping [NAME_LEN+USERNAME_LENGTH+2]; char helping [NAME_LEN+USERNAME_LENGTH+2];
uint len; uint len;
bool error= 1; bool error= 1;
@ -3729,7 +3741,7 @@ bool check_grant_routine(THD *thd, ulong want_access,
TABLE_LIST *procs, bool is_proc, bool no_errors) TABLE_LIST *procs, bool is_proc, bool no_errors)
{ {
TABLE_LIST *table; TABLE_LIST *table;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
char *user= sctx->priv_user; char *user= sctx->priv_user;
char *host= sctx->priv_host; char *host= sctx->priv_host;
DBUG_ENTER("check_grant_routine"); DBUG_ENTER("check_grant_routine");
@ -3797,10 +3809,11 @@ bool check_routine_level_acl(THD *thd, const char *db, const char *name,
if (grant_option) if (grant_option)
{ {
GRANT_NAME *grant_proc; GRANT_NAME *grant_proc;
Security_context *sctx= thd->security_ctx;
rw_rdlock(&LOCK_grant); rw_rdlock(&LOCK_grant);
if ((grant_proc= routine_hash_search(thd->security_ctx->priv_host, if ((grant_proc= routine_hash_search(sctx->priv_host,
thd->security_ctx->ip, db, sctx->ip, db,
thd->security_ctx->priv_user, sctx->priv_user,
name, is_proc, 0))) name, is_proc, 0)))
no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS); no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS);
rw_unlock(&LOCK_grant); rw_unlock(&LOCK_grant);
@ -3816,7 +3829,7 @@ bool check_routine_level_acl(THD *thd, const char *db, const char *name,
ulong get_table_grant(THD *thd, TABLE_LIST *table) ulong get_table_grant(THD *thd, TABLE_LIST *table)
{ {
ulong privilege; ulong privilege;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
const char *db = table->db ? table->db : thd->db; const char *db = table->db ? table->db : thd->db;
GRANT_TABLE *grant_table; GRANT_TABLE *grant_table;
@ -3867,9 +3880,10 @@ ulong get_column_grant(THD *thd, GRANT_INFO *grant,
/* reload table if someone has modified any grants */ /* reload table if someone has modified any grants */
if (grant->version != grant_version) if (grant->version != grant_version)
{ {
Security_context *sctx= thd->security_ctx;
grant->grant_table= grant->grant_table=
table_hash_search(thd->security_ctx->host, thd->security_ctx->ip, table_hash_search(sctx->host, sctx->ip,
db_name, thd->security_ctx->priv_user, db_name, sctx->priv_user,
table_name, 0); /* purecov: inspected */ table_name, 0); /* purecov: inspected */
grant->version= grant_version; /* purecov: inspected */ grant->version= grant_version; /* purecov: inspected */
} }
@ -5439,7 +5453,7 @@ bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name,
bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
bool is_proc) bool is_proc)
{ {
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
LEX_USER *combo; LEX_USER *combo;
TABLE_LIST tables[1]; TABLE_LIST tables[1];
List<LEX_USER> user_list; List<LEX_USER> user_list;
@ -5573,7 +5587,7 @@ int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
char buff[100]; char buff[100];
TABLE *table= tables->table; TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0); bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0);
char *curr_host= thd->security_ctx->get_priv_host(); char *curr_host= thd->security_ctx->priv_host_name();
DBUG_ENTER("fill_schema_user_privileges"); DBUG_ENTER("fill_schema_user_privileges");
for (counter=0 ; counter < acl_users.elements ; counter++) for (counter=0 ; counter < acl_users.elements ; counter++)
@ -5626,7 +5640,7 @@ int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
char buff[100]; char buff[100];
TABLE *table= tables->table; TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0); bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0);
char *curr_host= thd->security_ctx->get_priv_host(); char *curr_host= thd->security_ctx->priv_host_name();
DBUG_ENTER("fill_schema_schema_privileges"); DBUG_ENTER("fill_schema_schema_privileges");
for (counter=0 ; counter < acl_dbs.elements ; counter++) for (counter=0 ; counter < acl_dbs.elements ; counter++)
@ -5681,7 +5695,7 @@ int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
char buff[100]; char buff[100];
TABLE *table= tables->table; TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0); bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0);
char *curr_host= thd->security_ctx->get_priv_host(); char *curr_host= thd->security_ctx->priv_host_name();
DBUG_ENTER("fill_schema_table_privileges"); DBUG_ENTER("fill_schema_table_privileges");
for (index=0 ; index < column_priv_hash.records ; index++) for (index=0 ; index < column_priv_hash.records ; index++)
@ -5743,7 +5757,7 @@ int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
char buff[100]; char buff[100];
TABLE *table= tables->table; TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0); bool no_global_access= check_access(thd, SELECT_ACL, "mysql",0,1,1,0);
char *curr_host= thd->security_ctx->get_priv_host(); char *curr_host= thd->security_ctx->priv_host_name();
DBUG_ENTER("fill_schema_table_privileges"); DBUG_ENTER("fill_schema_table_privileges");
for (index=0 ; index < column_priv_hash.records ; index++) for (index=0 ; index < column_priv_hash.records ; index++)
@ -5819,7 +5833,7 @@ int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant, void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
const char *db, const char *table) const char *db, const char *table)
{ {
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
/* --skip-grants */ /* --skip-grants */
if (!initialized) if (!initialized)
{ {

2
sql/sql_acl.h
View File

@ -181,7 +181,7 @@ ulong acl_get(const char *host, const char *ip,
const char *user, const char *db, my_bool db_is_pattern); const char *user, const char *db, my_bool db_is_pattern);
int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd, int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
uint passwd_len); uint passwd_len);
int acl_getroot_no_password(st_security_context *sctx, char *user, char *host, bool acl_getroot_no_password(Security_context *sctx, char *user, char *host,
char *ip, char *db); char *ip, char *db);
bool acl_check_host(const char *host, const char *ip); bool acl_check_host(const char *host, const char *ip);
bool check_change_password(THD *thd, const char *host, const char *user, bool check_change_password(THD *thd, const char *host, const char *user,

6
sql/sql_class.cc
View File

@ -1822,7 +1822,7 @@ void THD::set_status_var_init()
} }
void st_security_context::init() void Security_context::init()
{ {
host= user= priv_user= ip= 0; host= user= priv_user= ip= 0;
host_or_ip= "connecting host"; host_or_ip= "connecting host";
@ -1832,7 +1832,7 @@ void st_security_context::init()
} }
void st_security_context::destroy() void Security_context::destroy()
{ {
// If not pointer to constant // If not pointer to constant
if (host != my_localhost) if (host != my_localhost)
@ -1843,7 +1843,7 @@ void st_security_context::destroy()
} }
void st_security_context::skip_grants() void Security_context::skip_grants()
{ {
/* privileges for the user are unknown everything is allowed */ /* privileges for the user are unknown everything is allowed */
host_or_ip= (char *)""; host_or_ip= (char *)"";

12
sql/sql_class.h
View File

@ -942,15 +942,17 @@ bool xid_cache_insert(XID_STATE *xid_state);
void xid_cache_delete(XID_STATE *xid_state); void xid_cache_delete(XID_STATE *xid_state);
struct st_security_context { class Security_context {
public:
/* /*
host - host of the client host - host of the client
user - user of the client, set to NULL until the user has been read from user - user of the client, set to NULL until the user has been read from
the connection the connection
priv_user - The user privilege we are using. May be '' for anonymous user. priv_user - The user privilege we are using. May be "" for anonymous user.
ip - client IP ip - client IP
*/ */
char *host, *user, *priv_user, *ip; char *host, *user, *priv_user, *ip;
/* The host privilege we are using */
char priv_host[MAX_HOSTNAME]; char priv_host[MAX_HOSTNAME];
/* points to host if host is available, otherwise points to ip */ /* points to host if host is available, otherwise points to ip */
const char *host_or_ip; const char *host_or_ip;
@ -960,7 +962,7 @@ struct st_security_context {
void init(); void init();
void destroy(); void destroy();
void skip_grants(); void skip_grants();
inline char *get_priv_host() inline char *priv_host_name()
{ {
return (*priv_host ? priv_host : (char *)"%"); return (*priv_host ? priv_host : (char *)"%");
} }
@ -1150,8 +1152,8 @@ public:
the slave SQL thread, in sql/slave.cc. the slave SQL thread, in sql/slave.cc.
*/ */
char *db, *catalog; char *db, *catalog;
st_security_context main_security_ctx; Security_context main_security_ctx;
st_security_context *security_ctx; Security_context *security_ctx;
/* remote (peer) port */ /* remote (peer) port */
uint16 peer_port; uint16 peer_port;

2
sql/sql_db.cc
View File

@ -1093,7 +1093,7 @@ bool mysql_change_db(THD *thd, const char *name, bool no_access_check)
bool system_db= 0; bool system_db= 0;
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
ulong db_access; ulong db_access;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
#endif #endif
DBUG_ENTER("mysql_change_db"); DBUG_ENTER("mysql_change_db");
DBUG_PRINT("enter",("name: '%s'",name)); DBUG_PRINT("enter",("name: '%s'",name));

103
sql/sql_parse.cc
View File

@ -270,11 +270,10 @@ int check_user(THD *thd, enum enum_server_command command,
const char *passwd, uint passwd_len, const char *db, const char *passwd, uint passwd_len, const char *db,
bool check_count) bool check_count)
{ {
st_security_context *sctx= thd->security_ctx;
DBUG_ENTER("check_user"); DBUG_ENTER("check_user");
#ifdef NO_EMBEDDED_ACCESS_CHECKS #ifdef NO_EMBEDDED_ACCESS_CHECKS
sctx->master_access= GLOBAL_ACLS; // Full rights thd->ain_security_ctx.master_access= GLOBAL_ACLS; // Full rights
/* Change database if necessary */ /* Change database if necessary */
if (db && db[0]) if (db && db[0])
{ {
@ -341,9 +340,11 @@ int check_user(THD *thd, enum enum_server_command command,
if (opt_secure_auth_local) if (opt_secure_auth_local)
{ {
net_printf_error(thd, ER_SERVER_IS_IN_SECURE_AUTH_MODE, net_printf_error(thd, ER_SERVER_IS_IN_SECURE_AUTH_MODE,
sctx->user, sctx->host_or_ip); thd->main_security_ctx.user,
thd->main_security_ctx.host_or_ip);
mysql_log.write(thd, COM_CONNECT, ER(ER_SERVER_IS_IN_SECURE_AUTH_MODE), mysql_log.write(thd, COM_CONNECT, ER(ER_SERVER_IS_IN_SECURE_AUTH_MODE),
sctx->user, sctx->host_or_ip); thd->main_security_ctx.user,
thd->main_security_ctx.host_or_ip);
DBUG_RETURN(-1); DBUG_RETURN(-1);
} }
/* We have to read very specific packet size */ /* We have to read very specific packet size */
@ -361,22 +362,27 @@ int check_user(THD *thd, enum enum_server_command command,
/* here res is always >= 0 */ /* here res is always >= 0 */
if (res == 0) if (res == 0)
{ {
if (!(sctx->master_access & NO_ACCESS)) // authentication is OK if (!(thd->main_security_ctx.master_access &
NO_ACCESS)) // authentication is OK
{ {
DBUG_PRINT("info", DBUG_PRINT("info",
("Capabilities: %d packet_length: %ld Host: '%s' " ("Capabilities: %d packet_length: %ld Host: '%s' "
"Login user: '%s' Priv_user: '%s' Using password: %s " "Login user: '%s' Priv_user: '%s' Using password: %s "
"Access: %u db: '%s'", "Access: %u db: '%s'",
thd->client_capabilities, thd->max_client_packet_length, thd->client_capabilities,
sctx->host_or_ip, sctx->user, sctx->priv_user, thd->max_client_packet_length,
thd->main_security_ctx.host_or_ip,
thd->main_security_ctx.user,
thd->main_security_ctx.priv_user,
passwd_len ? "yes": "no", passwd_len ? "yes": "no",
sctx->master_access, thd->db ? thd->db : "*none*")); thd->main_security_ctx.master_access,
(thd->db ? thd->db : "*none*")));
if (check_count) if (check_count)
{ {
VOID(pthread_mutex_lock(&LOCK_thread_count)); VOID(pthread_mutex_lock(&LOCK_thread_count));
bool count_ok= thread_count <= max_connections + delayed_insert_threads bool count_ok= thread_count <= max_connections + delayed_insert_threads
|| (sctx->master_access & SUPER_ACL); || (thd->main_security_ctx.master_access & SUPER_ACL);
VOID(pthread_mutex_unlock(&LOCK_thread_count)); VOID(pthread_mutex_unlock(&LOCK_thread_count));
if (!count_ok) if (!count_ok)
{ // too many connections { // too many connections
@ -387,10 +393,12 @@ int check_user(THD *thd, enum enum_server_command command,
/* Why logging is performed before all checks've passed? */ /* Why logging is performed before all checks've passed? */
mysql_log.write(thd, command, mysql_log.write(thd, command,
(sctx->priv_user == sctx->user ? (thd->main_security_ctx.priv_user ==
thd->main_security_ctx.user ?
(char*) "%s@%s on %s" : (char*) "%s@%s on %s" :
(char*) "%s@%s as anonymous on %s"), (char*) "%s@%s as anonymous on %s"),
sctx->user, sctx->host_or_ip, thd->main_security_ctx.user,
thd->main_security_ctx.host_or_ip,
db ? db : (char*) ""); db ? db : (char*) "");
/* /*
@ -398,14 +406,16 @@ int check_user(THD *thd, enum enum_server_command command,
set to 0 here because we don't have an active database yet (and we set to 0 here because we don't have an active database yet (and we
may not have an active database to set. may not have an active database to set.
*/ */
sctx->db_access=0; thd->main_security_ctx.db_access=0;
/* Don't allow user to connect if he has done too many queries */ /* Don't allow user to connect if he has done too many queries */
if ((ur.questions || ur.updates || ur.conn_per_hour || ur.user_conn || if ((ur.questions || ur.updates || ur.conn_per_hour || ur.user_conn ||
max_user_connections) && max_user_connections) &&
get_or_create_user_conn(thd, get_or_create_user_conn(thd,
(opt_old_style_user_limits ? sctx->user : sctx->priv_user), (opt_old_style_user_limits ? thd->main_security_ctx.user :
(opt_old_style_user_limits ? sctx->host_or_ip : sctx->priv_host), thd->main_security_ctx.priv_user),
(opt_old_style_user_limits ? thd->main_security_ctx.host_or_ip :
thd->main_security_ctx.priv_host),
&ur)) &ur))
DBUG_RETURN(-1); DBUG_RETURN(-1);
if (thd->user_connect && if (thd->user_connect &&
@ -440,12 +450,12 @@ int check_user(THD *thd, enum enum_server_command command,
DBUG_RETURN(-1); DBUG_RETURN(-1);
} }
net_printf_error(thd, ER_ACCESS_DENIED_ERROR, net_printf_error(thd, ER_ACCESS_DENIED_ERROR,
sctx->user, thd->main_security_ctx.user,
sctx->host_or_ip, thd->main_security_ctx.host_or_ip,
passwd_len ? ER(ER_YES) : ER(ER_NO)); passwd_len ? ER(ER_YES) : ER(ER_NO));
mysql_log.write(thd, COM_CONNECT, ER(ER_ACCESS_DENIED_ERROR), mysql_log.write(thd, COM_CONNECT, ER(ER_ACCESS_DENIED_ERROR),
sctx->user, thd->main_security_ctx.user,
sctx->host_or_ip, thd->main_security_ctx.host_or_ip,
passwd_len ? ER(ER_YES) : ER(ER_NO)); passwd_len ? ER(ER_YES) : ER(ER_NO));
DBUG_RETURN(-1); DBUG_RETURN(-1);
#endif /* NO_EMBEDDED_ACCESS_CHECKS */ #endif /* NO_EMBEDDED_ACCESS_CHECKS */
@ -765,46 +775,49 @@ static int check_connection(THD *thd)
NET *net= &thd->net; NET *net= &thd->net;
ulong pkt_len= 0; ulong pkt_len= 0;
char *end; char *end;
st_security_context *sctx= thd->security_ctx;
DBUG_PRINT("info", DBUG_PRINT("info",
("New connection received on %s", vio_description(net->vio))); ("New connection received on %s", vio_description(net->vio)));
if (!sctx->host) // If TCP/IP connection if (!thd->main_security_ctx.host) // If TCP/IP connection
{ {
char ip[30]; char ip[30];
if (vio_peer_addr(net->vio, ip, &thd->peer_port)) if (vio_peer_addr(net->vio, ip, &thd->peer_port))
return (ER_BAD_HOST_ERROR); return (ER_BAD_HOST_ERROR);
if (!(sctx->ip= my_strdup(ip,MYF(0)))) if (!(thd->main_security_ctx.ip= my_strdup(ip,MYF(0))))
return (ER_OUT_OF_RESOURCES); return (ER_OUT_OF_RESOURCES);
sctx->host_or_ip= sctx->ip; thd->main_security_ctx.host_or_ip= thd->main_security_ctx.ip;
vio_in_addr(net->vio,&thd->remote.sin_addr); vio_in_addr(net->vio,&thd->remote.sin_addr);
if (!(specialflag & SPECIAL_NO_RESOLVE)) if (!(specialflag & SPECIAL_NO_RESOLVE))
{ {
vio_in_addr(net->vio,&thd->remote.sin_addr); vio_in_addr(net->vio,&thd->remote.sin_addr);
sctx->host=ip_to_hostname(&thd->remote.sin_addr,&connect_errors); thd->main_security_ctx.host=
ip_to_hostname(&thd->remote.sin_addr, &connect_errors);
/* Cut very long hostnames to avoid possible overflows */ /* Cut very long hostnames to avoid possible overflows */
if (sctx->host) if (thd->main_security_ctx.host)
{ {
if (sctx->host != my_localhost) if (thd->main_security_ctx.host != my_localhost)
sctx->host[min(strlen(sctx->host), HOSTNAME_LENGTH)]= 0; thd->main_security_ctx.host[min(strlen(thd->main_security_ctx.host),
sctx->host_or_ip= sctx->host; HOSTNAME_LENGTH)]= 0;
thd->main_security_ctx.host_or_ip= thd->main_security_ctx.host;
} }
if (connect_errors > max_connect_errors) if (connect_errors > max_connect_errors)
return(ER_HOST_IS_BLOCKED); return(ER_HOST_IS_BLOCKED);
} }
DBUG_PRINT("info",("Host: %s ip: %s", DBUG_PRINT("info",("Host: %s ip: %s",
sctx->host ? sctx->host : "unknown host", (thd->main_security_ctx.host ?
sctx->ip ? sctx->ip : "unknown ip")); thd->main_security_ctx.host : "unknown host"),
if (acl_check_host(sctx->host, sctx->ip)) (thd->main_security_ctx.ip ?
thd->main_security_ctx.ip : "unknown ip")));
if (acl_check_host(thd->main_security_ctx.host, thd->main_security_ctx.ip))
return(ER_HOST_NOT_PRIVILEGED); return(ER_HOST_NOT_PRIVILEGED);
} }
else /* Hostname given means that the connection was on a socket */ else /* Hostname given means that the connection was on a socket */
{ {
DBUG_PRINT("info",("Host: %s", sctx->host)); DBUG_PRINT("info",("Host: %s", thd->main_security_ctx.host));
sctx->host_or_ip= sctx->host; thd->main_security_ctx.host_or_ip= thd->main_security_ctx.host;
sctx->ip= 0; thd->main_security_ctx.ip= 0;
/* Reset sin_addr */ /* Reset sin_addr */
bzero((char*) &thd->remote, sizeof(thd->remote)); bzero((char*) &thd->remote, sizeof(thd->remote));
} }
@ -987,9 +1000,9 @@ static int check_connection(THD *thd)
thd->charset(), &dummy_errors)]= '\0'; thd->charset(), &dummy_errors)]= '\0';
user= user_buff; user= user_buff;
if (sctx->user) if (thd->main_security_ctx.user)
x_free(sctx->user); x_free(thd->main_security_ctx.user);
if (!(sctx->user= my_strdup(user, MYF(0)))) if (!(thd->main_security_ctx.user= my_strdup(user, MYF(0))))
return (ER_OUT_OF_RESOURCES); return (ER_OUT_OF_RESOURCES);
return check_user(thd, COM_CONNECT, passwd, passwd_len, db, TRUE); return check_user(thd, COM_CONNECT, passwd, passwd_len, db, TRUE);
} }
@ -1077,7 +1090,7 @@ pthread_handler_decl(handle_one_connection,arg)
{ {
int error; int error;
NET *net= &thd->net; NET *net= &thd->net;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
thd->thread_stack= (char*) &thd; thd->thread_stack= (char*) &thd;
net->no_send_error= 0; net->no_send_error= 0;
@ -1592,7 +1605,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
/* Save user and privileges */ /* Save user and privileges */
uint save_db_length= thd->db_length; uint save_db_length= thd->db_length;
char *save_db= thd->db; char *save_db= thd->db;
st_security_context save_security_ctx= *thd->security_ctx; Security_context save_security_ctx= *thd->security_ctx;
USER_CONN *save_user_connect= thd->user_connect; USER_CONN *save_user_connect= thd->user_connect;
if (!(thd->security_ctx->user= my_strdup(user, MYF(0)))) if (!(thd->security_ctx->user= my_strdup(user, MYF(0))))
@ -4143,7 +4156,7 @@ end_with_restore_list:
else else
{ {
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
st_security_context *save_ctx; Security_context *save_ctx;
#endif #endif
ha_rows select_limit; ha_rows select_limit;
/* bits that should be cleared in thd->server_status */ /* bits that should be cleared in thd->server_status */
@ -4807,7 +4820,7 @@ bool
check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv, check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
bool dont_check_global_grants, bool no_errors, bool schema_db) bool dont_check_global_grants, bool no_errors, bool schema_db)
{ {
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
ulong db_access; ulong db_access;
bool db_is_pattern= test(want_access & GRANT_ACL); bool db_is_pattern= test(want_access & GRANT_ACL);
@ -4838,8 +4851,8 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
{ {
if (!no_errors) if (!no_errors)
my_error(ER_DBACCESS_DENIED_ERROR, MYF(0), my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
thd->security_ctx->priv_user, sctx->priv_user,
thd->security_ctx->priv_host, db_name); sctx->priv_host, db_name);
DBUG_RETURN(TRUE); DBUG_RETURN(TRUE);
} }
else else
@ -5245,7 +5258,7 @@ void mysql_reset_thd_for_next_command(THD *thd)
thd->server_status&= ~ (SERVER_MORE_RESULTS_EXISTS | thd->server_status&= ~ (SERVER_MORE_RESULTS_EXISTS |
SERVER_QUERY_NO_INDEX_USED | SERVER_QUERY_NO_INDEX_USED |
SERVER_QUERY_NO_GOOD_INDEX_USED); SERVER_QUERY_NO_GOOD_INDEX_USED);
thd->security_ctx= &thd->main_security_ctx; DBUG_ASSERT(thd->security_ctx== &thd->main_security_ctx);
thd->tmp_table_used= 0; thd->tmp_table_used= 0;
if (!thd->in_sub_stmt) if (!thd->in_sub_stmt)
{ {
@ -7396,7 +7409,7 @@ Item *negate_expression(THD *thd, Item *expr)
SYNOPSIS SYNOPSIS
default_definer() default_definer()
thd thread handler Secytity_context current decurity context
definer structure where it should be assigned definer structure where it should be assigned
RETURN RETURN
@ -7404,7 +7417,7 @@ Item *negate_expression(THD *thd, Item *expr)
TRUE Error TRUE Error
*/ */
bool default_view_definer(st_security_context *sctx, st_lex_user *definer) bool default_view_definer(Security_context *sctx, st_lex_user *definer)
{ {
definer->user.str= sctx->priv_user; definer->user.str= sctx->priv_user;
definer->user.length= strlen(sctx->priv_user); definer->user.length= strlen(sctx->priv_user);

12
sql/sql_show.cc
View File

@ -415,7 +415,7 @@ mysqld_show_create(THD *thd, TABLE_LIST *table_list)
bool mysqld_show_create_db(THD *thd, char *dbname, bool mysqld_show_create_db(THD *thd, char *dbname,
HA_CREATE_INFO *create_info) HA_CREATE_INFO *create_info)
{ {
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
int length; int length;
char path[FN_REFLEN]; char path[FN_REFLEN];
char buff[2048]; char buff[2048];
@ -1186,7 +1186,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose)
THD *tmp; THD *tmp;
while ((tmp=it++)) while ((tmp=it++))
{ {
st_security_context *tmp_sctx= tmp->security_ctx; Security_context *tmp_sctx= tmp->security_ctx;
struct st_my_thread_var *mysys_var; struct st_my_thread_var *mysys_var;
if ((tmp->vio_ok() || tmp->system_thread) && if ((tmp->vio_ok() || tmp->system_thread) &&
(!user || (tmp_sctx->user && !strcmp(tmp_sctx->user, user)))) (!user || (tmp_sctx->user && !strcmp(tmp_sctx->user, user))))
@ -1205,7 +1205,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose)
"%s:%u", tmp_sctx->host_or_ip, tmp->peer_port); "%s:%u", tmp_sctx->host_or_ip, tmp->peer_port);
} }
else else
thd_info->host= thd->strdup(tmp_sctx->host_or_ip); thd_info->host= thd->strdup(tmp_sctx->host);
if ((thd_info->db=tmp->db)) // Safe test if ((thd_info->db=tmp->db)) // Safe test
thd_info->db=thd->strdup(thd_info->db); thd_info->db=thd->strdup(thd_info->db);
thd_info->command=(int) tmp->command; thd_info->command=(int) tmp->command;
@ -1257,7 +1257,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose)
thread_info *thd_info; thread_info *thd_info;
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
st_security_context *sctx; Security_context *sctx;
#endif #endif
time_t now= time(0); time_t now= time(0);
while ((thd_info=thread_infos.get())) while ((thd_info=thread_infos.get()))
@ -1996,7 +1996,7 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond)
List<char> bases; List<char> bases;
List_iterator_fast<char> it(bases); List_iterator_fast<char> it(bases);
COND *partial_cond; COND *partial_cond;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
uint derived_tables= lex->derived_tables; uint derived_tables= lex->derived_tables;
int error= 1; int error= 1;
Open_tables_state open_tables_state_backup; Open_tables_state open_tables_state_backup;
@ -2201,7 +2201,7 @@ int fill_schema_shemata(THD *thd, TABLE_LIST *tables, COND *cond)
bool with_i_schema; bool with_i_schema;
HA_CREATE_INFO create; HA_CREATE_INFO create;
TABLE *table= tables->table; TABLE *table= tables->table;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
DBUG_ENTER("fill_schema_shemata"); DBUG_ENTER("fill_schema_shemata");
if (make_db_list(thd, &files, &idx_field_vals, if (make_db_list(thd, &files, &idx_field_vals,

4
sql/sql_yacc.yy
View File

@ -6554,7 +6554,7 @@ show_param:
LEX *lex=Lex; LEX *lex=Lex;
lex->sql_command= SQLCOM_SHOW_GRANTS; lex->sql_command= SQLCOM_SHOW_GRANTS;
THD *thd= lex->thd; THD *thd= lex->thd;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
LEX_USER *curr_user; LEX_USER *curr_user;
if (!(curr_user= (LEX_USER*) thd->alloc(sizeof(st_lex_user)))) if (!(curr_user= (LEX_USER*) thd->alloc(sizeof(st_lex_user))))
YYABORT; YYABORT;
@ -7464,7 +7464,7 @@ user:
| CURRENT_USER optional_braces | CURRENT_USER optional_braces
{ {
THD *thd= YYTHD; THD *thd= YYTHD;
st_security_context *sctx= thd->security_ctx; Security_context *sctx= thd->security_ctx;
if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user)))) if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user))))
YYABORT; YYABORT;
$$->user.str= sctx->priv_user; $$->user.str= sctx->priv_user;