Bug #14211140: CRASH WHEN GRANTING OR REVOKING PROXY

PRIVILEGES

Description: (user,host) pair from security context is used
             privilege checking at the time of granting or
             revoking proxy privileges. This creates problem
             when server is started with
             --skip-name-resolve option because host will not
             contain any value. Checks should be dependent on
             consistent values regardless the way server is
             started. Further, privilege check should use
             (priv_user,priv_host) pair rather than values
             obtained from inbound connection because
             this pair represents the correct account context
             obtained from mysql.user table.

mysql-test/r/plugin_auth.result

@@ -124,17 +124,20 @@ ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
 this should fail : not the same user
 GRANT PROXY ON grant_plug TO grant_plug_dest;
 ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
-this should fail : same user, but on a different host
+This is a valid grant
 GRANT PROXY ON grant_plug_dest TO grant_plug;
-ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
-this should work : same user
-GRANT PROXY ON grant_plug_dest@localhost TO grant_plug_dest2;
-REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug_dest2;
+REVOKE PROXY ON grant_plug_dest FROM grant_plug;
 this should work : same user
+GRANT PROXY ON grant_plug_dest TO grant_plug_dest2;
+REVOKE PROXY ON grant_plug_dest FROM grant_plug_dest2;
+this should fail : not the same user
 GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION;
+ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
+this should fail : not the same user
 REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug;
+ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
 this should fail : can't create users
-GRANT PROXY ON grant_plug_dest@localhost TO grant_plug@localhost;
+GRANT PROXY ON grant_plug_dest TO grant_plug@localhost;
 ERROR 42000: You are not allowed to create a user with GRANT
 in default connection
 # test what root can grant
@@ -152,12 +155,12 @@ GRANT PROXY ON future_user TO grant_plug;
 in default connection
 SHOW GRANTS FOR grant_plug;
 Grants for grant_plug@%
-GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%' WITH GRANT OPTION
+GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%'
 GRANT PROXY ON 'future_user'@'%' TO 'grant_plug'@'%'
 REVOKE PROXY ON future_user FROM grant_plug;
 SHOW GRANTS FOR grant_plug;
 Grants for grant_plug@%
-GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%' WITH GRANT OPTION
+GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%'
 ## testing drop user
 CREATE USER test_drop@localhost;
 GRANT PROXY ON future_user TO test_drop@localhost;

mysql-test/t/plugin_auth.test

@@ -179,21 +179,35 @@ GRANT PROXY ON ''@'' TO grant_plug;
 --error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
 GRANT PROXY ON grant_plug TO grant_plug_dest;
 
---echo this should fail : same user, but on a different host
---error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+# Security context in THD contains two pairs of (user,host)
+# 1. (user,host) pair referring to inbound connection
+# 2. (priv_user,priv_host) pair obtained from mysql.user table after doing
+#    authnetication of incoming connection.
+# Granting/revoking proxy privileges, privileges should be checked wrt
+# (priv_user, priv_host) tuple that is obtained from mysql.user table
+# Following is a valid grant because effective user of connection is
+# grant_plug_dest@% and statement is trying to grant proxy on the same
+# user.
+--echo This is a valid grant
 GRANT PROXY ON grant_plug_dest TO grant_plug;
+REVOKE PROXY ON grant_plug_dest FROM grant_plug;
 
 --echo this should work : same user
-GRANT PROXY ON grant_plug_dest@localhost TO grant_plug_dest2;
-REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug_dest2;
+GRANT PROXY ON grant_plug_dest TO grant_plug_dest2;
+REVOKE PROXY ON grant_plug_dest FROM grant_plug_dest2;
 
---echo this should work : same user
+# grant_plug_dest@localhost is not the same as grant_plug_dest@%
+# so following grant/revoke should fail
+--echo this should fail : not the same user
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
 GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION;
+--echo this should fail : not the same user
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
 REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug;
 
 --echo this should fail : can't create users
 --error ER_CANT_CREATE_USER_WITH_GRANT
-GRANT PROXY ON grant_plug_dest@localhost TO grant_plug@localhost;
+GRANT PROXY ON grant_plug_dest TO grant_plug@localhost;
 
 connection default;
 --echo in default connection

sql/sql_acl.cc

@@ -7256,14 +7256,25 @@ acl_check_proxy_grant_access(THD *thd, const char *host, const char *user,
     DBUG_RETURN(FALSE);
   }
 
-  /* one can grant proxy to himself to others */
-  if (!strcmp(thd->security_ctx->user, user) &&
+  /*
+    one can grant proxy for self to others.
+    Security context in THD contains two pairs of (user,host):
+    1. (user,host) pair referring to inbound connection.
+    2. (priv_user,priv_host) pair obtained from mysql.user table after doing
+        authnetication of incoming connection.
+    Privileges should be checked wrt (priv_user, priv_host) tuple, because
+    (user,host) pair obtained from inbound connection may have different
+    values than what is actually stored in mysql.user table and while granting
+    or revoking proxy privilege, user is expected to provide entries mentioned
+    in mysql.user table.
+  */
+  if (!strcmp(thd->security_ctx->priv_user, user) &&
       !my_strcasecmp(system_charset_info, host,
-                     thd->security_ctx->host))
+                     thd->security_ctx->priv_host))
   {
     DBUG_PRINT("info", ("strcmp (%s, %s) my_casestrcmp (%s, %s) equal", 
-                        thd->security_ctx->user, user,
-                        host, thd->security_ctx->host));
+                        thd->security_ctx->priv_user, user,
+                        host, thd->security_ctx->priv_host));
     DBUG_RETURN(FALSE);
   }