HOST HAS '_' IN THE HOSTNAME
Problem:
=======
'_' and '%' are treated as a wildcards by the ACL code and
this is documented in the manual. The problem with
mysql_install_db is that it does not take this into account
when creating the initial GRANT tables:
--- cut ---
REPLACE INTO tmp_user SELECT @current_hostname,'root','','Y',
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y',
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',
0,0,0,0 FROM dual WHERE LOWER( @current_hostname) != 'localhost';
--- cut ---
If @current_hostname contains any wildcard characters, then
a wildcard entry will be defined for the 'root' user,
which is a flaw.
Analysis:
========
As per the bug description when we have a hostname with a
wildcard character in it, it allows clients from several other
hosts with similar name pattern to connect to the server as root.
For example, if the hostname is like 'host_.com' then the same
name is logged in mysql.user table. This allows 'root' users
from other hosts like 'host1.com', 'host2.com' ... to connect
to the server as root user.
While creating the intial GRANT tables we do not have a check
for wildcard characters in hostname.
Fix:
===
As part of fix escape character "\" is added before wildcard
character to make it a plain character, so that the one and
only host with the exact name will be able to connect to the
server.
scripts/mysql_system_tables_data.sql:
while creating default users get the hostname and
replace the wildcard characters within the hostname after
escaping them.
- Removed files specific to compiling on OS/2
- Removed files specific to SCO Unix packaging
- Removed "libmysqld/copyright", text is included in documentation
- Removed LaTeX headers for NDB Doxygen documentation
- Removed obsolete NDB files
- Removed "mkisofs" binaries
- Removed the "cvs2cl.pl" script
- Changed a few GPL texts to use "program" instead of "library"
1. Fixed the name of the table to proxies_priv
2. Fixed the column names to be of the form Capitalized_lowecarse instead of
Capitalized_Capitalized
3. Added Timestamp and Grantor columns
4. Added tests to plugin_auth to check the table structure
5. Updated the existing tests
Original revision in 6.0:
------------------------------------------------------------
revno: 2630.13.11
committer: Alexander Nozdrin <alik@mysql.com>
branch nick: 6.0-rt-wl4300
timestamp: Thu 2008-07-24 11:44:21 +0400
message:
A patch for WL#4300: Define privileges for tablespaces.
------------------------------------------------------------
per-file messages:
mysql-test/r/grant.result
Update result file: new columm 'Create_tablespace_priv' has been added to mysql.user.
mysql-test/r/ps.result
Update result file: new columm 'Create_tablespace_priv' has been added to mysql.user.
mysql-test/r/system_mysql_db.result
Update result file: new columm 'Create_tablespace_priv' has been added to mysql.user.
mysql-test/suite/falcon/r/falcon_tablespace_priv.result
Test case for WL#4300.
mysql-test/suite/falcon/t/falcon_tablespace_priv.test
Test case for WL#4300.
mysql-test/suite/ndb/r/ndb_dd_ddl.result
Test case for WL#4300.
mysql-test/suite/ndb/t/ndb_dd_ddl.test
Test case for WL#4300.
scripts/mysql_system_tables.sql
New columm 'Create_tablespace_priv' has been added to mysql.user.
scripts/mysql_system_tables_data.sql
'CREATE TABLESPACE' is granted by default to the root user.
scripts/mysql_system_tables_fix.sql
Grant 'CREATE TABLESPACE' privilege during system table upgrade
if a user had SUPER privilege.
sql/sql_acl.cc
Added CREATE TABLESPACE privilege.
sql/sql_acl.h
Added CREATE TABLESPACE privilege.
sql/sql_parse.cc
Check global 'CREATE TABLESPACE' privilege for the following SQL statements:
- CREATE | ALTER | DROP TABLESPACE
- CREATE | ALTER | DROP LOGFILE GROUP
sql/sql_show.cc
Added CREATE TABLESPACE privilege.
sql/sql_yacc.yy
Added CREATE TABLESPACE privilege.
Machines with hostname set to "localhost" cause uniqueness errors in
the SQL bootstrap data.
Now, insert zero lines for cases where the (lowercased) hostname is
the same as an already-inserted 'localhost' name. Also, fix a few tests
that expect certain local accounts to have a certain host name.
Fix is to remove any references to the current hostname when running
mysql_install_db --cross-bootstrap. (The dist-hook make target makes
this call, and the resulting data directory is included in the source
distribution as win/data/*.)
Also, a few other clean-ups to mysql_install_db while there.
Makefile.am:
Adapt to clean-up in mysql_install_db (--windows becomes --cross-bootstrap)
scripts/mysql_install_db.sh:
Filter out references to the current hostname when performing
a cross-bootstrap installation by removing any lines which
contain the string "@current_hostname".
Deprecate the old --windows option; use --cross-bootstrap
instead, since it more accurately reflects the purpose.
Other clean-up: the wrong syntax was being used to test the
exit status of mysqld --bootstrap. It mostly worked, as long
as mysqld succeeded. However, it was not robust.
scripts/mysql_system_tables_data.sql:
Rename local @hostname variable to @current_hostname, which is a more
unique label to search on. mysql_install_db now filters out all
lines which include "@current_hostname" during a --cross-bootstrap
installation.
into ramayana.hindu.god:/home/tsmith/m/bk/maint/51
configure.in:
Auto merged
mysql-test/Makefile.am:
Auto merged
mysql-test/mysql-test-run.pl:
Auto merged
scripts/Makefile.am:
Auto merged
scripts/mysql_system_tables_data.sql:
Auto merged
scripts/mysqld_safe.sh:
Auto merged
sql/sql_select.cc:
Auto merged
storage/innobase/handler/ha_innodb.cc:
Auto merged
were accidentally removed during a previous rototill of this
code. Fixes bug#27692.
While it can be argued we should strive to provide a 'secure by
default' installation, this happens to be the setup currently
documented in the manual as the default, so defer changes that
improve security out of the box to a co-ordinated effort later
on.
For now, make a note about the test databases and anonymous user
in mysql_install_db and recommend that mysql_secure_installation
be ran for users wishing to remove these defaults.
[..re-commit of previously lost change..]
scripts/mysql_system_tables_data.sql:
Add anonymous accounts.
scripts/mysql_install_db.sh:
Point users at the mysql_secure_installation script.
mysql-test/mysql-test-run.pl:
Add a comment where removing anonymous users.
- Use a local uservariable to avoid @@hostname in binlog
scripts/mysql_system_tables_data.sql:
Load @@hostname into a local user variable to avoid
writing @@hostname to the binary log that potentially
would be replicated to a slave server that not yet was upgraded
to have @@hostname.
into pilot.blaudden:/home/msvensson/mysql/mysql-5.1-maint
mysql-test/mysql-test-run.pl:
Auto merged
scripts/mysql_install_db.sh:
Auto merged
scripts/mysql_system_tables.sql:
Manual merge
scripts/mysql_system_tables_data.sql:
Manual merge
- Allow mysql_install_db to be run a second time in the same
datadir to create and fill any missing system tables
scripts/mysql_install_db.sh:
Remove check that dissallowed running mysql_install_db a second time
in same directory
scripts/mysql_system_tables.sql:
Save information about if tables db and user already existed
scripts/mysql_system_tables_data.sql:
Fill tables db and user with initial data if tables
didn't already exist.
- Split out initial data in mysql_system_tables.sql to it's own file
- Use file from mysql_install_db and mysql-test-run
scripts/mysql_system_tables_fix.sql:
Rename: scripts/mysql_fix_privilege_tables.sql.in -> scripts/mysql_system_tables_fix.sql
mysql-test/mysql-test-run.pl:
- Add mysql_system_tables_data.sql as part of the bootstrap
- Remove the addition of pid to end of bootstrap.sql, now
to file used for bootstrap will be $opt_vardir/tmp/bootstrap.sql
- Improve error message descibing how to find cause of a
failed bootstrap
scripts/Makefile.am:
- Rename mysql_fix_privileg_tables.sql.in to mysql_system_tables_fix.sql
- Build mysql_fix_privilege_tables from mysql_system_tables.sql and
mysql_system_tables_fix.sql
- Add mysql_system_tables_fix.sql to EXTRA_DIST
scripts/mysql_install_db.sh:
- Use mysql_system_tables_data.sql file when bootstrapping
mysql, it will contain initial data for MysQL system tables
scripts/mysql_system_tables.sql:
Move initial data for system tables to it's own file
scripts/mysql_system_tables_data.sql:
Move initial data for system tables to it's own file