revision-id: d4e9a50e887c40da6a57cc5438d9857eae7c45f2 (mariadb-10.2.24-30-gd4e9a50) parent(s): 395ce1dcb33b5866f810299095978f2fb9263c95 committer: Alexey Botchkov timestamp: 2019-05-19 23:50:23 +0400 message: MDEV-17456 Malicious SUPER user can possibly change audit log configuration without leaving traces. Fix for the SET GLOBAL server_audit_loggin=on; added. --- mysql-test/suite/plugins/r/server_audit.result | 2 ++ plugin/server_audit/server_audit.c | 15 +++++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/mysql-test/suite/plugins/r/server_audit.result b/mysql-test/suite/plugins/r/server_audit.result index b8d2986..4088b36 100644 --- a/mysql-test/suite/plugins/r/server_audit.result +++ b/mysql-test/suite/plugins/r/server_audit.result @@ -271,6 +271,7 @@ TIME,HOSTNAME,root,localhost,ID,0,CONNECT,mysql,,0 TIME,HOSTNAME,root,localhost,ID,0,DISCONNECT,mysql,,0 TIME,HOSTNAME,no_such_user,localhost,ID,0,FAILED_CONNECT,,,ID TIME,HOSTNAME,no_such_user,localhost,ID,0,DISCONNECT,,,0 +TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_incl_users=\'odin, dva, tri\'',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_incl_users=\'odin, root, dva, tri\'',0 TIME,HOSTNAME,root,localhost,ID,ID,CREATE,test,t2, TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'create table t2 (id int)',0 @@ -381,6 +382,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *** TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'insert into t1 values (1), (2)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= off',0 +TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= on',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0 diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c index 8472f97..e143f56 100644 --- a/plugin/server_audit/server_audit.c +++ b/plugin/server_audit/server_audit.c @@ -15,7 +15,7 @@ #define PLUGIN_VERSION 0x104 -#define PLUGIN_STR_VERSION "1.4.5" +#define PLUGIN_STR_VERSION "1.4.6" #define _my_thread_var loc_thread_var @@ -2022,10 +2022,14 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev) update_connection_info(cn, event_class, ev, &after_action); if (!logging) + { + if (cn) + cn->log_always= 0; goto exit_func; + } if (event_class == MYSQL_AUDIT_GENERAL_CLASS && FILTER(EVENT_QUERY) && - cn && do_log_user(cn->user)) + cn && (cn->log_always || do_log_user(cn->user))) { const struct mysql_event_general *event = (const struct mysql_event_general *) ev; @@ -2038,6 +2042,7 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev) { log_statement(cn, event, "QUERY"); cn->query_length= 0; /* So the log_current_query() won't log this again. */ + cn->log_always= 0; } } else if (event_class == MYSQL_AUDIT_TABLE_CLASS && FILTER(EVENT_TABLE) && cn) @@ -2108,8 +2113,6 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev) break; } } - if (cn) - cn->log_always= 0; flogger_mutex_unlock(&lock_operations); } @@ -2553,8 +2556,7 @@ static void log_current_query(MYSQL_THD thd) if (!thd) return; cn= get_loc_info(thd); - if (!ci_needs_setup(cn) && cn->query_length && - FILTER(EVENT_QUERY) && do_log_user(cn->user)) + if (!ci_needs_setup(cn) && cn->query_length) { cn->log_always= 1; log_statement_ex(cn, cn->query_time, thd_get_thread_id(thd), @@ -2814,6 +2816,7 @@ static void update_logging(MYSQL_THD thd, { CLIENT_ERROR(1, "Logging was disabled.", MYF(ME_JUST_WARNING)); } + mark_always_logged(thd); } else {