Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
N/A
-
None
Description
According to the specification of MDEV-20299,
a) any user can do SET SESSION AUTHORIZATION to their own account; and
b) it'll bypass account lock, expired password, authentication, REQUIRE SSL checks, etc.
For the items explicitly listed in (b) one can say that if the user is already logged in, it doesn't matter; but currently "etc" also involves resource limits (e.g. MAX_QUERIES_PER_HOUR). It makes the limits meaningless, because the user can always get around them by doing SET SESSION AUTHORIZATION while still within the limits, and then enjoying the unlimited plan.
I don't see how it can be justified by being able to do the same via SP, because such users may not have permissions to create/execute SPs.
CREATE USER goodguy WITH MAX_QUERIES_PER_HOUR 2; |
CREATE USER cheater WITH MAX_QUERIES_PER_HOUR 2; |
--connect (con1,localhost,goodguy,,)
|
SELECT 1 AS goodguy_1; |
SELECT 2 AS goodguy_2; |
--error ER_USER_LIMIT_REACHED
|
SELECT 3 AS goodguy_3; |
--disconnect con1
|
--connect (con1,localhost,cheater,,)
|
|
|
SET SESSION AUTHORIZATION cheater@localhost; |
SELECT 1 AS cheater_1; |
SELECT 2 AS cheater_2; |
--echo # Now it should start failing, but it works
|
SELECT 3 AS cheater_3; |
SELECT 4 AS cheater_4; |
--disconnect con1
|
|
|
--connection default
|
DROP USER goodguy; |
DROP USER cheater; |
|
d4c600f804af677ac3177497b3770dbd67c448f7 |
SELECT 1 AS goodguy_1; |
goodguy_1
|
1
|
SELECT 2 AS goodguy_2; |
goodguy_2
|
2
|
SELECT 3 AS goodguy_3; |
ERROR 42000: User 'goodguy' has exceeded the 'max_queries_per_hour' resource (current value: 2) |
disconnect con1;
|
connect con1,localhost,cheater,,; |
SET SESSION AUTHORIZATION cheater@localhost; |
SELECT 1 AS cheater_1; |
cheater_1
|
1
|
SELECT 2 AS cheater_2; |
cheater_2
|
2
|
# Now it should start failing, but it works
|
SELECT 3 AS cheater_3; |
cheater_3
|
3
|
SELECT 4 AS cheater_4; |
cheater_4
|
4
|
Attachments
Issue Links
- is caused by
-
MDEV-20299 SET SESSION AUTHORIZATION
-
- Closed
-
Same applies to the global max_user_connections variable.
--let $restart_parameters= --max_user_connections=2--source include/restart_mysqld.inc--connect (con1,localhost,foo,,)--connect (con2,localhost,foo,,)--error ER_TOO_MANY_USER_CONNECTIONS--connect (con3,localhost,foo,,)--connection con1--connection con2--connect (con3,localhost,foo,,)--connect (con4,localhost,foo,,)--connect (con5,localhost,foo,,)--connection defaultshow processlist;--disconnect con2d4c600f804af677ac3177497b3770dbd67c448f7
show processlist;3 root localhost test Query 0 starting show processlist 0.000