executor,infoschema: check privilege for 'show processlist' (#7858)

"show processlist" requires the PROCESS privilege. Otherwise, the user can see only his own threads.
pingcap · Oct 10, 2018 · 38f2fe0 · 38f2fe0
1 parent ead685b
commit 38f2fe0
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/executor/executor_pkg_test.go b/executor/executor_pkg_test.go
@@ -24,6 +24,7 @@ import (
 	"github.com/pingcap/tidb/sessionctx/stmtctx"
 	"github.com/pingcap/tidb/types"
 	"github.com/pingcap/tidb/util"
+	"github.com/pingcap/tidb/util/auth"
 	"github.com/pingcap/tidb/util/chunk"
 	"github.com/pingcap/tidb/util/mock"
 	"github.com/pingcap/tidb/util/ranger"
@@ -78,6 +79,7 @@ func (s *testExecSuite) TestShowProcessList(c *C) {
 	}
 	sctx := mock.NewContext()
 	sctx.SetSessionManager(sm)
+	sctx.GetSessionVars().User = &auth.UserIdentity{Username: "test"}
 
 	// Compose executor.
 	e := &ShowExec{

diff --git a/executor/show.go b/executor/show.go
@@ -188,6 +188,14 @@ func (e *ShowExec) fetchShowProcessList() error {
 		return nil
 	}
 
+	loginUser := e.ctx.GetSessionVars().User
+	var hasProcessPriv bool
+	if pm := privilege.GetPrivilegeManager(e.ctx); pm != nil {
+		if pm.RequestVerification("", "", "", mysql.ProcessPriv) {
+			hasProcessPriv = true
+		}
+	}
+
 	pl := sm.ShowProcessList()
 	for _, pi := range pl {
 		var info string
@@ -197,6 +205,12 @@ func (e *ShowExec) fetchShowProcessList() error {
 			info = fmt.Sprintf("%.100v", pi.Info)
 		}
 
+		// If you have the PROCESS privilege, you can see all threads.
+		// Otherwise, you can see only your own threads.
+		if !hasProcessPriv && pi.User != loginUser.Username {
+			continue
+		}
+
 		e.appendRow([]interface{}{
 			pi.ID,
 			pi.User,

diff --git a/infoschema/tables.go b/infoschema/tables.go
@@ -608,9 +608,23 @@ func dataForProcesslist(ctx sessionctx.Context) [][]types.Datum {
 		return nil
 	}
 
+	loginUser := ctx.GetSessionVars().User
+	var hasProcessPriv bool
+	if pm := privilege.GetPrivilegeManager(ctx); pm != nil {
+		if pm.RequestVerification("", "", "", mysql.ProcessPriv) {
+			hasProcessPriv = true
+		}
+	}
+
 	var records [][]types.Datum
 	pl := sm.ShowProcessList()
 	for _, pi := range pl {
+		// If you have the PROCESS privilege, you can see all threads.
+		// Otherwise, you can see only your own threads.
+		if !hasProcessPriv && pi.User != loginUser.Username {
+			continue
+		}
+
 		var t uint64
 		if len(pi.Info) != 0 {
 			t = uint64(time.Since(pi.Time) / time.Second)