From 38f2fe0b6028ab7dd016fe7c5c7df45f4f2be0fd Mon Sep 17 00:00:00 2001 From: tiancaiamao Date: Wed, 10 Oct 2018 17:50:37 +0800 Subject: [PATCH] executor,infoschema: check privilege for 'show processlist' (#7858) "show processlist" requires the PROCESS privilege. Otherwise, the user can see only his own threads. --- executor/executor_pkg_test.go | 2 ++ executor/show.go | 14 ++++++++++++++ infoschema/tables.go | 14 ++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/executor/executor_pkg_test.go b/executor/executor_pkg_test.go index ef1a158fc0801..bd79e219420b0 100644 --- a/executor/executor_pkg_test.go +++ b/executor/executor_pkg_test.go @@ -24,6 +24,7 @@ import ( "github.com/pingcap/tidb/sessionctx/stmtctx" "github.com/pingcap/tidb/types" "github.com/pingcap/tidb/util" + "github.com/pingcap/tidb/util/auth" "github.com/pingcap/tidb/util/chunk" "github.com/pingcap/tidb/util/mock" "github.com/pingcap/tidb/util/ranger" @@ -78,6 +79,7 @@ func (s *testExecSuite) TestShowProcessList(c *C) { } sctx := mock.NewContext() sctx.SetSessionManager(sm) + sctx.GetSessionVars().User = &auth.UserIdentity{Username: "test"} // Compose executor. e := &ShowExec{ diff --git a/executor/show.go b/executor/show.go index 773e7e6d8e85b..0a76e27f683f7 100644 --- a/executor/show.go +++ b/executor/show.go @@ -188,6 +188,14 @@ func (e *ShowExec) fetchShowProcessList() error { return nil } + loginUser := e.ctx.GetSessionVars().User + var hasProcessPriv bool + if pm := privilege.GetPrivilegeManager(e.ctx); pm != nil { + if pm.RequestVerification("", "", "", mysql.ProcessPriv) { + hasProcessPriv = true + } + } + pl := sm.ShowProcessList() for _, pi := range pl { var info string @@ -197,6 +205,12 @@ func (e *ShowExec) fetchShowProcessList() error { info = fmt.Sprintf("%.100v", pi.Info) } + // If you have the PROCESS privilege, you can see all threads. + // Otherwise, you can see only your own threads. + if !hasProcessPriv && pi.User != loginUser.Username { + continue + } + e.appendRow([]interface{}{ pi.ID, pi.User, diff --git a/infoschema/tables.go b/infoschema/tables.go index 62691c334e1a0..e1cd952fc9c7e 100644 --- a/infoschema/tables.go +++ b/infoschema/tables.go @@ -608,9 +608,23 @@ func dataForProcesslist(ctx sessionctx.Context) [][]types.Datum { return nil } + loginUser := ctx.GetSessionVars().User + var hasProcessPriv bool + if pm := privilege.GetPrivilegeManager(ctx); pm != nil { + if pm.RequestVerification("", "", "", mysql.ProcessPriv) { + hasProcessPriv = true + } + } + var records [][]types.Datum pl := sm.ShowProcessList() for _, pi := range pl { + // If you have the PROCESS privilege, you can see all threads. + // Otherwise, you can see only your own threads. + if !hasProcessPriv && pi.User != loginUser.Username { + continue + } + var t uint64 if len(pi.Info) != 0 { t = uint64(time.Since(pi.Time) / time.Second)