From 662f08b9e9ef6b8f9c2111d5c0d5bc9a78a30a0e Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 23 Mar 2020 21:06:13 +0800 Subject: [PATCH 1/2] privilege: fix show grants privilege check (#15524) --- executor/show.go | 13 +++++++++++++ executor/show_test.go | 15 ++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/executor/show.go b/executor/show.go index 5dfcf4ba7d581..f0ee081d2914c 100644 --- a/executor/show.go +++ b/executor/show.go @@ -1079,6 +1079,19 @@ func (e *ShowExec) fetchShowGrants() error { if checker == nil { return errors.New("miss privilege checker") } + sessVars := e.ctx.GetSessionVars() + if !e.User.CurrentUser { + userName := sessVars.User.AuthUsername + hostName := sessVars.User.AuthHostname + // Show grant user requires the SELECT privilege on mysql schema. + // Ref https://dev.mysql.com/doc/refman/8.0/en/show-grants.html + if userName != e.User.Username || hostName != e.User.Hostname { + activeRoles := sessVars.ActiveRoles + if !checker.RequestVerification(activeRoles, mysql.SystemDB, "", "", mysql.SelectPriv) { + return ErrDBaccessDenied.GenWithStackByArgs(userName, hostName, mysql.SystemDB) + } + } + } for _, r := range e.Roles { if r.Hostname == "" { r.Hostname = "%" diff --git a/executor/show_test.go b/executor/show_test.go index ef08c6d7c40f7..da850bf83a0d3 100644 --- a/executor/show_test.go +++ b/executor/show_test.go @@ -139,6 +139,19 @@ func (s *testSuite2) TestShowErrors(c *C) { tk.MustQuery("show errors").Check(testutil.RowsWithSep("|", "Error|1050|Table 'test.show_errors' already exists")) } +func (s *testSuite2) TestShowGrantsPrivilege(c *C) { + tk := testkit.NewTestKit(c, s.store) + tk.MustExec("create user show_grants") + tk.MustExec("show grants for show_grants") + tk1 := testkit.NewTestKit(c, s.store) + se, err := session.CreateSession4Test(s.store) + c.Assert(err, IsNil) + c.Assert(se.Auth(&auth.UserIdentity{Username: "show_grants", Hostname: "%"}, nil, nil), IsTrue) + tk1.Se = se + err = tk1.QueryToErr("show grants for root") + c.Assert(err.Error(), Equals, executor.ErrDBaccessDenied.GenWithStackByArgs("show_grants", "%", mysql.SystemDB).Error()) +} + func (s *testSuite2) TestIssue3641(c *C) { tk := testkit.NewTestKit(c, s.store) _, err := tk.Exec("show tables;") @@ -156,7 +169,7 @@ func (s *testSuite2) TestIssue10549(c *C) { tk.MustExec("GRANT 'app_developer' TO 'dev';") tk.MustExec("SET DEFAULT ROLE app_developer TO 'dev';") - c.Assert(tk.Se.Auth(&auth.UserIdentity{Username: "dev", Hostname: "localhost", AuthUsername: "dev", AuthHostname: "localhost"}, nil, nil), IsTrue) + c.Assert(tk.Se.Auth(&auth.UserIdentity{Username: "dev", Hostname: "%", AuthUsername: "dev", AuthHostname: "%"}, nil, nil), IsTrue) tk.MustQuery("SHOW DATABASES;").Check(testkit.Rows("INFORMATION_SCHEMA", "newdb")) tk.MustQuery("SHOW GRANTS;").Check(testkit.Rows("GRANT USAGE ON *.* TO 'dev'@'%'", "GRANT ALL PRIVILEGES ON newdb.* TO 'dev'@'%'", "GRANT 'app_developer'@'%' TO 'dev'@'%'")) tk.MustQuery("SHOW GRANTS FOR CURRENT_USER").Check(testkit.Rows("GRANT USAGE ON *.* TO 'dev'@'%'", "GRANT 'app_developer'@'%' TO 'dev'@'%'")) From 4a21dc1af917742bd498407f04c7b4a4d2409e16 Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 30 Mar 2020 18:10:19 +0800 Subject: [PATCH 2/2] privilege: fix user with `%` hostname can not show grants. (#15825) --- executor/builder.go | 2 ++ executor/show_test.go | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/executor/builder.go b/executor/builder.go index 26180bbb04e62..2e6a85af00a1d 100644 --- a/executor/builder.go +++ b/executor/builder.go @@ -626,6 +626,8 @@ func (b *executorBuilder) buildShow(v *plannercore.Show) Executor { // The former determine privileges with roles, while the later doesn't. vars := e.ctx.GetSessionVars() e.User = vars.User + e.User.Hostname = vars.User.AuthHostname + e.User.Username = vars.User.AuthUsername e.Roles = vars.ActiveRoles } if e.Tp == ast.ShowMasterStatus { diff --git a/executor/show_test.go b/executor/show_test.go index da850bf83a0d3..0cf7eb2d517f1 100644 --- a/executor/show_test.go +++ b/executor/show_test.go @@ -150,6 +150,13 @@ func (s *testSuite2) TestShowGrantsPrivilege(c *C) { tk1.Se = se err = tk1.QueryToErr("show grants for root") c.Assert(err.Error(), Equals, executor.ErrDBaccessDenied.GenWithStackByArgs("show_grants", "%", mysql.SystemDB).Error()) + // Test show grants for user with auth host name `%`. + tk2 := testkit.NewTestKit(c, s.store) + se2, err := session.CreateSession4Test(s.store) + c.Assert(err, IsNil) + c.Assert(se2.Auth(&auth.UserIdentity{Username: "show_grants", Hostname: "127.0.0.1", AuthUsername: "show_grants", AuthHostname: "%"}, nil, nil), IsTrue) + tk2.Se = se2 + tk2.MustQuery("show grants") } func (s *testSuite2) TestIssue3641(c *C) {