From d47710c8dccd295428fa7547720f4a5d7311c413 Mon Sep 17 00:00:00 2001 From: Mats Kindahl Date: Wed, 23 Sep 2009 23:32:31 +0200 Subject: WL#5016: Fix header file include guards Adding header include file guards to files that are missing such. --- sql/sql_acl.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index a8090fba2e7..c0622bd747c 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -1,3 +1,6 @@ +#ifndef SQL_ACL_INCLUDED +#define SQL_ACL_INCLUDED + /* Copyright (C) 2000-2006 MySQL AB This program is free software; you can redistribute it and/or modify @@ -273,3 +276,4 @@ bool is_acl_user(const char *host, const char *user); #define check_grant(A,B,C,D,E,F) 0 #define check_grant_db(A,B) 0 #endif +#endif /* SQL_ACL_INCLUDED */ -- cgit v1.2.1 From 13f09243e33141756b7d6012dbf49682bb1228ce Mon Sep 17 00:00:00 2001 From: Alexander Nozdrin Date: Sat, 10 Oct 2009 00:01:10 +0400 Subject: A backporting patch for WL#4300 (Define privileges for tablespaces). Original revision in 6.0: ------------------------------------------------------------ revno: 2630.13.11 committer: Alexander Nozdrin branch nick: 6.0-rt-wl4300 timestamp: Thu 2008-07-24 11:44:21 +0400 message: A patch for WL#4300: Define privileges for tablespaces. ------------------------------------------------------------ per-file messages: mysql-test/r/grant.result Update result file: new columm 'Create_tablespace_priv' has been added to mysql.user. mysql-test/r/ps.result Update result file: new columm 'Create_tablespace_priv' has been added to mysql.user. mysql-test/r/system_mysql_db.result Update result file: new columm 'Create_tablespace_priv' has been added to mysql.user. mysql-test/suite/falcon/r/falcon_tablespace_priv.result Test case for WL#4300. mysql-test/suite/falcon/t/falcon_tablespace_priv.test Test case for WL#4300. mysql-test/suite/ndb/r/ndb_dd_ddl.result Test case for WL#4300. mysql-test/suite/ndb/t/ndb_dd_ddl.test Test case for WL#4300. scripts/mysql_system_tables.sql New columm 'Create_tablespace_priv' has been added to mysql.user. scripts/mysql_system_tables_data.sql 'CREATE TABLESPACE' is granted by default to the root user. scripts/mysql_system_tables_fix.sql Grant 'CREATE TABLESPACE' privilege during system table upgrade if a user had SUPER privilege. sql/sql_acl.cc Added CREATE TABLESPACE privilege. sql/sql_acl.h Added CREATE TABLESPACE privilege. sql/sql_parse.cc Check global 'CREATE TABLESPACE' privilege for the following SQL statements: - CREATE | ALTER | DROP TABLESPACE - CREATE | ALTER | DROP LOGFILE GROUP sql/sql_show.cc Added CREATE TABLESPACE privilege. sql/sql_yacc.yy Added CREATE TABLESPACE privilege. --- sql/sql_acl.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index a8090fba2e7..a08510e66ae 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -43,6 +43,7 @@ #define CREATE_USER_ACL (1L << 25) #define EVENT_ACL (1L << 26) #define TRIGGER_ACL (1L << 27) +#define CREATE_TABLESPACE_ACL (1L << 28) /* don't forget to update 1. static struct show_privileges_st sys_privileges[] @@ -79,7 +80,8 @@ REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \ CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \ EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \ - ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL) + ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \ + CREATE_TABLESPACE_ACL) #define DEFAULT_CREATE_PROC_ACLS \ (ALTER_PROC_ACL | EXECUTE_ACL) -- cgit v1.2.1 From 0659b857e7fe232ebfe7f48c5e0affd59dbf5862 Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Mon, 19 Oct 2009 14:58:13 +0200 Subject: Bug#27145 EXTRA_ACL troubles The flag EXTRA_ACL is used in conjugation with our access checks, yet it is not clear what impact this flag has. This is a code clean up which replaces use of EXTRA_ACL with an explicit function parameter. The patch also fixes privilege checks for: - SHOW CREATE TABLE: The new privilege requirement is any privilege on the table-level. - CHECKSUM TABLE: Requires SELECT on the table level. - SHOW CREATE VIEW: Requires SHOW_VIEW and SELECT on the table level (just as the manual claims) - SHOW INDEX: Requires any privilege on any column combination. mysql-test/r/grant.result: * Error message now shows correct command (SHOW instead of SELECT) mysql-test/r/grant2.result: * Error message now shows correct command (SHOW instead of SELECT) mysql-test/r/grant4.result: * This test file tests privilege requirements for SHOW COLUMNS CREATE TABLE .. LIKE SHOW CREATE TABLE SHOW INDEX CHECKSUM TABLE SHOW CREATE VIEW mysql-test/r/information_schema_db.result: * Added SELECT privilege to testdb_2 as SHOW CREATE VIEW now demands this privilege as well as SHOW VIEW. mysql-test/r/outfile.result: * Changed error code mysql-test/r/view_grant.result: * Additional SELECT privilege is now needed for SHOW CREATE VIEW mysql-test/t/grant4.test: * This test file tests privilege requirements for SHOW COLUMNS CREATE TABLE .. LIKE SHOW CREATE TABLE SHOW INDEX CHECKSUM TABLE SHOW CREATE VIEW mysql-test/t/information_schema_db.test: * Added SELECT privilege to testdb_2 as SHOW CREATE VIEW now demands this privilege as well as SHOW VIEW. mysql-test/t/outfile.test: * Changed error code mysql-test/t/view_grant.test: * Additional SELECT privilege is now needed for SHOW CREATE VIEW sql/mysql_priv.h: * Replaced EXTRA_ACL with a parameter sql/sp_head.cc: * Replaced EXTRA_ACL with a parameter sql/sql_acl.cc: * Converted function documentation to doxygen and clarified some behaviors. * Changed value from uint to bool to better reflect its meaning. * Removed pointless variable orig_want_access * Added function has_any_table_level_privileges to help with requirements checks during SHOW CREATE TABLE. sql/sql_acl.h: * changed signature of check_grant() * introduced access control function has_any_table_leevl_privileges() sql/sql_base.cc: * Check_table_access has new signature sql/sql_cache.cc: * Check_table_access has new signature sql/sql_parse.cc: * Rewrote function documentation in doxygen comments for: check_access, check_table_acces, check_grant. * Removed EXTRA_ACL flag where it doesn't hold any meaningful purpose anymore and replaced it with a function parameter where any privileges on any column combination would satisfy the requirement. * Fixed privilege check for SHOW COLUMNS and SHOW INDEX * Modified check_table_access to gain clarity in what EXTRA_ACL actually does. * Modified check_access to gain clarity in what EXTRA_ACL actually does. * Fixed privilege check for CREATE TABLE .. LIKE .. ; It now requires SELECT privileges on the table. * Fixed privilege check for SHOW CREATE TABLE ..; It now requires any privilege on the table level. sql/sql_plugin.cc: * check_table_access has new signature sql/sql_prepare.cc: * check_table_access has new signature sql/sql_show.cc: * check_table_access has new signature sql/sql_trigger.cc: * check_table_access has new signature sql/sql_update.cc: * check grant has new signature sql/sql_view.cc: * check_table_access has new signature --- sql/sql_acl.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index a8090fba2e7..fd7824dc961 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -51,7 +51,6 @@ 4. acl_init() or whatever - to define behaviour for old privilege tables 5. sql_yacc.yy - for GRANT/REVOKE to work */ -#define EXTRA_ACL (1L << 29) #define NO_ACCESS (1L << 30) #define DB_ACLS \ (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ @@ -238,7 +237,7 @@ my_bool grant_init(); void grant_free(void); my_bool grant_reload(THD *thd); bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables, - uint show_command, uint number, bool dont_print_error); + bool any_combination_will_do, uint number, bool no_errors); bool check_grant_column (THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, uint length, Security_context *sctx); @@ -269,6 +268,9 @@ bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, bool check_routine_level_acl(THD *thd, const char *db, const char *name, bool is_proc); bool is_acl_user(const char *host, const char *user); +bool has_any_table_level_privileges(THD *thd, ulong required_access, + TABLE_LIST *tables); + #ifdef NO_EMBEDDED_ACCESS_CHECKS #define check_grant(A,B,C,D,E,F) 0 #define check_grant_db(A,B) 0 -- cgit v1.2.1 From 481066db52cfaa406ea73812bc237513e0daa076 Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Tue, 20 Oct 2009 15:40:06 +0200 Subject: Bug#27145 EXTRA_ACL troubles Post merge fix for embedded server. sql/sql_acl.h: * Added definition for has_any_table_level_privileges must be defined in embedded mode. --- sql/sql_acl.h | 1 + 1 file changed, 1 insertion(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index eb0b83e0620..ad401fa7064 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -276,4 +276,5 @@ bool has_any_table_level_privileges(THD *thd, ulong required_access, #ifdef NO_EMBEDDED_ACCESS_CHECKS #define check_grant(A,B,C,D,E,F) 0 #define check_grant_db(A,B) 0 +#define has_any_table_level_privileges(A,B,C) 0 #endif -- cgit v1.2.1 From 720252532fb27dd8b3598ef739e4c0b75d7befea Mon Sep 17 00:00:00 2001 From: Alexander Nozdrin Date: Thu, 22 Oct 2009 16:51:51 +0400 Subject: Backporting patches for Bug#38347 (ALTER ROUTINE privilege allows SHOW CREATE TABLE) from 6.0. Original revisions: ------------------------------------------------------------ revno: 2617.31.8 committer: Alexander Nozdrin branch nick: 6.0-rt-bug38347 timestamp: Thu 2009-03-26 09:08:24 +0300 message: Patch for Bug#38347: ALTER ROUTINE privilege allows SHOW CREATE TABLE. If a user has any of the following privileges for a table (or the database if the table), he should be able to issue SHOW CREATE TABLE for the table: - CREATE - DROP - ALTER - DELETE - INDEX - INSERT - SELECT - UPDATE - TRIGGER - REFERENCES - GRANT OPTION - CREATE VIEW - SHOW VIEW Any other privilege (even SUPER) should not allow SHOW CREATE TABLE. ------------------------------------------------------------ revno: 2617.31.11 committer: Alexander Nozdrin branch nick: 6.0-rt timestamp: Fri 2009-03-27 21:36:34 +0300 message: Additional patch for Bug#38347 (ALTER ROUTINE privilege allows SHOW CREATE TABLE). The problem was that information_schema.test, information_schema_parameters.test and information_schema_routines.test failed with the first patch. That happened due to limitation in check_access(): it allows only SELECT_ACL privilege for INFORMATION_SCHEMA tables. The patch is to request only SELECT_ACL privilege for INFORMATION_SCHEMA tables. ------------------------------------------------------------ --- sql/sql_acl.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index ad401fa7064..ba5f5144409 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -85,6 +85,11 @@ #define DEFAULT_CREATE_PROC_ACLS \ (ALTER_PROC_ACL | EXECUTE_ACL) +#define SHOW_CREATE_TABLE_ACLS \ +(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \ + CREATE_ACL | DROP_ACL | ALTER_ACL | INDEX_ACL | \ + TRIGGER_ACL | REFERENCES_ACL | GRANT_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL) + /* Defines to change the above bits to how things are stored in tables This is needed as the 'host' and 'db' table is missing a few privileges -- cgit v1.2.1