From 74465080c617c27ee2f92fa64f131a46b895d6f6 Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 3 Aug 2006 14:03:08 +0500 Subject: [PATCH 1/3] BUG#7391 - Cross-database multi-table UPDATE uses active database privileges This problem is 4.1 specific. It doesn't affect 4.0 and was fixed in 5.x before. Having any mysql user who is allowed to issue multi table update statement and any column/table grants, allows this user to update any table on a server (mysql grant tables are not exception). check_grant() accepts number of tables (in table list) to be checked in 5-th param. While checking grants for multi table update, number of tables must be 1. It must never be 0 (actually we have DBUG_ASSERT(number > 0) in 5.x in grant_check() function). mysql-test/r/grant.result: Addition to test case for bug#7391: - Added grant statement to trigger this problem in 4.1. - Fixed error messages. mysql-test/t/grant.test: Addition to test case for bug#7391: - Added grant statement to trigger this problem in 4.1. - Fixed error messages. sql/sql_update.cc: check_grant() accepts number of tables (in table list) to be checked in 5-th param. For this particular check number of tables must be 1. It must never be 0 (actually we have DBUG_ASSERT(number > 0) in 5.x in grant_check() function). --- mysql-test/r/grant.result | 9 +++++---- mysql-test/t/grant.test | 10 ++++++---- sql/sql_update.cc | 2 +- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/mysql-test/r/grant.result b/mysql-test/r/grant.result index dffa4988ea7..1960f3a76b9 100644 --- a/mysql-test/r/grant.result +++ b/mysql-test/r/grant.result @@ -383,7 +383,7 @@ GRANT SELECT (c) ON `mysqltest_2`.`t1` TO 'mysqltest_3'@'localhost' update mysqltest_1.t1, mysqltest_1.t2 set q=10 where b=1; ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for column 'q' in table 't1' update mysqltest_1.t1, mysqltest_2.t2 set d=20 where d=1; -ERROR 42000: SELECT command denied to user 'mysqltest_3'@'localhost' for column 'd' in table 't2' +ERROR 42000: SELECT command denied to user 'mysqltest_3'@'localhost' for table 't1' update mysqltest_2.t1, mysqltest_1.t2 set c=20 where b=1; ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for column 'c' in table 't1' update mysqltest_2.t1, mysqltest_2.t2 set d=10 where s=2; @@ -402,6 +402,7 @@ revoke all on mysqltest_2.t1 from mysqltest_3@localhost; revoke all on mysqltest_2.t2 from mysqltest_3@localhost; grant all on mysqltest_2.* to mysqltest_3@localhost; grant select on *.* to mysqltest_3@localhost; +grant select on mysqltest_2.t1 to mysqltest_3@localhost; flush privileges; use mysqltest_1; update mysqltest_2.t1, mysqltest_2.t2 set c=500,d=600; @@ -409,11 +410,11 @@ update mysqltest_1.t1, mysqltest_1.t2 set a=100,b=200; ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for column 'a' in table 't1' use mysqltest_2; update mysqltest_1.t1, mysqltest_1.t2 set a=100,b=200; -ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysqltest_1' +ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for table 't1' update mysqltest_2.t1, mysqltest_1.t2 set c=100,b=200; -ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysqltest_1' +ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for table 't2' update mysqltest_1.t1, mysqltest_2.t2 set a=100,d=200; -ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysqltest_1' +ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for table 't1' select t1.*,t2.* from mysqltest_1.t1,mysqltest_1.t2; a q b r 10 2 1 2 diff --git a/mysql-test/t/grant.test b/mysql-test/t/grant.test index 60b60547fcc..3365145650a 100644 --- a/mysql-test/t/grant.test +++ b/mysql-test/t/grant.test @@ -323,7 +323,7 @@ connection conn1; show grants for mysqltest_3@localhost; --error 1143 update mysqltest_1.t1, mysqltest_1.t2 set q=10 where b=1; ---error 1143 +--error 1142 update mysqltest_1.t1, mysqltest_2.t2 set d=20 where d=1; --error 1143 update mysqltest_2.t1, mysqltest_1.t2 set c=20 where b=1; @@ -343,6 +343,8 @@ revoke all on mysqltest_2.t2 from mysqltest_3@localhost; #test the db/table level privileges grant all on mysqltest_2.* to mysqltest_3@localhost; grant select on *.* to mysqltest_3@localhost; +# Next grant is needed to trigger bug#7391. Do not optimize! +grant select on mysqltest_2.t1 to mysqltest_3@localhost; flush privileges; disconnect conn1; connect (conn2,localhost,mysqltest_3,,); @@ -354,11 +356,11 @@ update mysqltest_2.t1, mysqltest_2.t2 set c=500,d=600; update mysqltest_1.t1, mysqltest_1.t2 set a=100,b=200; use mysqltest_2; #the following used to succeed, it must fail now. ---error 1044 +--error 1142 update mysqltest_1.t1, mysqltest_1.t2 set a=100,b=200; ---error 1044 +--error 1142 update mysqltest_2.t1, mysqltest_1.t2 set c=100,b=200; ---error 1044 +--error 1142 update mysqltest_1.t1, mysqltest_2.t2 set a=100,d=200; #lets see the result connection master; diff --git a/sql/sql_update.cc b/sql/sql_update.cc index 089d0bf0660..af4ba8025f9 100644 --- a/sql/sql_update.cc +++ b/sql/sql_update.cc @@ -628,7 +628,7 @@ int mysql_multi_update_lock(THD *thd, if (!using_lock_tables) tl->table->reginfo.lock_type= tl->lock_type; if (check_access(thd, wants, tl->db, &tl->grant.privilege, 0, 0) || - (grant_option && check_grant(thd, wants, tl, 0, 0, 0))) + (grant_option && check_grant(thd, wants, tl, 0, 1, 0))) { tl->next= save; DBUG_RETURN(1); From 6071b686b179d1fcc96cd6ccce940d62bd509c70 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 11 Aug 2006 14:41:07 +0500 Subject: [PATCH 2/3] Extended a test case for bug#7391. --- mysql-test/r/grant.result | 1 + mysql-test/t/grant.test | 2 ++ 2 files changed, 3 insertions(+) diff --git a/mysql-test/r/grant.result b/mysql-test/r/grant.result index 3f3325354ee..7ad2a5033e9 100644 --- a/mysql-test/r/grant.result +++ b/mysql-test/r/grant.result @@ -426,6 +426,7 @@ revoke all on mysqltest_2.t1 from mysqltest_3@localhost; revoke all on mysqltest_2.t2 from mysqltest_3@localhost; grant all on mysqltest_2.* to mysqltest_3@localhost; grant select on *.* to mysqltest_3@localhost; +grant select on mysqltest_2.t1 to mysqltest_3@localhost; flush privileges; use mysqltest_1; update mysqltest_2.t1, mysqltest_2.t2 set c=500,d=600; diff --git a/mysql-test/t/grant.test b/mysql-test/t/grant.test index a9d52f559ca..73857d8ab69 100644 --- a/mysql-test/t/grant.test +++ b/mysql-test/t/grant.test @@ -362,6 +362,8 @@ revoke all on mysqltest_2.t2 from mysqltest_3@localhost; #test the db/table level privileges grant all on mysqltest_2.* to mysqltest_3@localhost; grant select on *.* to mysqltest_3@localhost; +# Next grant is needed to trigger bug#7391. Do not optimize! +grant select on mysqltest_2.t1 to mysqltest_3@localhost; flush privileges; disconnect conn1; connect (conn2,localhost,mysqltest_3,,); From f6d7985a5b4a5c7d94cb04ba003dfa411cf0d3f2 Mon Sep 17 00:00:00 2001 From: unknown Date: Mon, 14 Aug 2006 17:05:02 +0500 Subject: [PATCH 3/3] BUG#18874 - Setting myisam_repair_threads > 1, index cardinality always 1 Fixed by moving update_key_parts() down to be after write_index(). myisam/sort.c: write_index() collects index statistic which is further used in update_key_parts(). Thus update_key_parts() must be called after write_index(). mysql-test/r/repair.result: Test case for bug#18874. mysql-test/t/repair.test: Test case for bug#18874. --- myisam/sort.c | 12 +++++------- mysql-test/r/repair.result | 11 +++++++++++ mysql-test/t/repair.test | 11 +++++++++++ 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/myisam/sort.c b/myisam/sort.c index 96b55d599c8..1a3dc147cd9 100644 --- a/myisam/sort.c +++ b/myisam/sort.c @@ -480,13 +480,6 @@ int thr_write_keys(MI_SORT_PARAM *sort_param) if (!got_error) { share->state.key_map|=(ulonglong) 1 << sinfo->key; - if (param->testflag & T_STATISTICS) - update_key_parts(sinfo->keyinfo, rec_per_key_part, sinfo->unique, - param->stats_method == MI_STATS_METHOD_IGNORE_NULLS? - sinfo->notnull: NULL, - (ulonglong) info->state->records); - - if (!sinfo->buffpek.elements) { if (param->testflag & T_VERBOSE) @@ -498,6 +491,11 @@ int thr_write_keys(MI_SORT_PARAM *sort_param) flush_ft_buf(sinfo) || flush_pending_blocks(sinfo)) got_error=1; } + if (!got_error && param->testflag & T_STATISTICS) + update_key_parts(sinfo->keyinfo, rec_per_key_part, sinfo->unique, + param->stats_method == MI_STATS_METHOD_IGNORE_NULLS? + sinfo->notnull: NULL, + (ulonglong) info->state->records); } my_free((gptr) sinfo->sort_keys,MYF(0)); my_free(mi_get_rec_buff_ptr(info, sinfo->rec_buff), diff --git a/mysql-test/r/repair.result b/mysql-test/r/repair.result index dbca5c39a6c..e0849452399 100644 --- a/mysql-test/r/repair.result +++ b/mysql-test/r/repair.result @@ -37,3 +37,14 @@ Table Op Msg_type Msg_text test.t1 repair warning Number of rows changed from 0 to 1 test.t1 repair status OK drop table t1; +CREATE TABLE t1(a INT, KEY(a)); +INSERT INTO t1 VALUES(1),(2),(3),(4),(5); +SET myisam_repair_threads=2; +REPAIR TABLE t1; +Table Op Msg_type Msg_text +test.t1 repair status OK +SHOW INDEX FROM t1; +Table Non_unique Key_name Seq_in_index Column_name Collation Cardinality Sub_part Packed Null Index_type Comment +t1 1 a 1 a A 5 NULL NULL YES BTREE +SET myisam_repair_threads=@@global.myisam_repair_threads; +DROP TABLE t1; diff --git a/mysql-test/t/repair.test b/mysql-test/t/repair.test index 5e39e0b6a50..f086d5b0c2a 100644 --- a/mysql-test/t/repair.test +++ b/mysql-test/t/repair.test @@ -34,4 +34,15 @@ repair table t1; repair table t1 use_frm; drop table t1; +# +# BUG#18874 - Setting myisam_repair_threads > 1, index cardinality always 1 +# +CREATE TABLE t1(a INT, KEY(a)); +INSERT INTO t1 VALUES(1),(2),(3),(4),(5); +SET myisam_repair_threads=2; +REPAIR TABLE t1; +SHOW INDEX FROM t1; +SET myisam_repair_threads=@@global.myisam_repair_threads; +DROP TABLE t1; + # End of 4.1 tests