I see that the read_user_name() function gets the user name by going through the following order:
- Using the user name root if geteuid() returns 0.
- Using the user name returned by getlogin(), unless it is NULL.
- Using the user name returned by getpwuid(geteuid()), unless it is NULL.
- Using the user name assigned to the USER environment variable, unless it is not set.
- Using the user name assigned to the LOGNAME environment variable, unless it is not set.
- Using the user name assigned to the LOGIN environment variable, unless it is not set.
See here:
https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.4/libmariadb/mariadb_lib.c#L499
I created a quick test program to check the return values of getlogin() and getpwuid(geteuid()):
$ cat read_user_name.c
|
|
|
#include <pwd.h>
|
#include <stdio.h>
|
#include <stdlib.h>
|
#include <unistd.h>
|
#include <errno.h>
|
|
|
int
|
main(int argc, char *argv[])
|
{
|
struct passwd *result;
|
|
|
char *login_user;
|
char *effective_user;
|
|
|
if ((login_user = getlogin()) != NULL)
|
{
|
printf("User name of login user is: %s\n", login_user);
|
}
|
else
|
printf("Could not get user name of login user\n");
|
|
|
if ((result = getpwuid(geteuid())) != NULL)
|
{
|
effective_user = result->pw_name;
|
printf("User name of effective user is: %s\n", effective_user);
|
}
|
else
|
printf("Could not get user name of effective user\n");
|
|
|
return 0;
|
}
|
This seems to indicate that getpwuid(geteuid()) returns the correct user name, but getlogin() does not. For example:
[ec2-user@ip-172-30-0-105 tmp]$ whoami
|
ec2-user
|
[ec2-user@ip-172-30-0-105 tmp]$ sudo -u mysql bash
|
bash-4.2$ whoami
|
mysql
|
bash-4.2$ id
|
uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow)
|
bash-4.2$ gcc read_user_name.c
|
bash-4.2$ ./a.out
|
User name of login user is: ec2-user
|
User name of effective user is: mysql
|
Since the connector defaults to the return value of getlogin(), this is why the mysql client is using the wrong user name:
bash-4.2$ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 -pbadpassword
|
ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO)
|
fixed in rev. e8023f3bf05839aaf4d797747f265822ea4a0514
This commit doesn't look like it would fix this issue:
https://github.com/MariaDB/mariadb-connector-c/commit/e8023f3bf05839aaf4d797747f265822ea4a0514
As far as I can tell, the problem is that getlogin() is used over getpwuid(geteuid()). See my previous comment for a test program that shows the difference.
Hello, Red Hat here, we've just got hit (rather) hard by this issue.
—
We have put MariaDB 10.4.12 into Fedora 32 - which is now in BETA freeze.
Turns out, a lot of users and test are relying on this - documented - usage; which is broken now.
Unfortunattely we were searching for the bug in auth_socket plugin, which is now default in MariaDB 10.4.
—
There are other packages, which builds on top of (or utilizes) MariaDB. Those packages have build-time tests which rely on switching the user.
With this bug, they (suddenly) fail, thus the build of te package fail, and if it can't be built for a next Fedora release, such package has to be dropped from the distribution.
We would be grateful for fix or a workaround ASAP.
We have only two spots left for the fix in Fedora - either for F32 Final Freeze, or as a F32 zero-day update (which would cause various other issues, since the F32 images would be distributed without the fix)
The Final Freeze is at the beginning of April.
We are likely to start preparing downstream patch to apply before the Final Freeze, but we'd much prefer to be fixed upstream, since our knowledge about the DB code is limited and it may be much easier fir you to do it and not to make a mistake in it 
—
Thanks Geoff for the fine detective job
fixed. rev. 8c773db1fb4b59f2c428589398c7d47b88756aa5
Hi mschorm,
georg's fix will be in MariaDB Connector/C 3.1.8, which should be released with MariaDB Server 10.4.13. I believe that release is currently planned for sometime around the end of April, but ralf.gebhardt@mariadb.com can correct me if I'm wrong. I hope that timeline works for you guys.
Thanks!
I can´t wait for the fix, but that's fine.
I did proceed with taking the latest sources of CONC/C and rebuilding the 'mariadb-connector-c' and 'mariadb' Fedora packages.
This is our chance to get the fixed version available to the users with Fedora 32.
Once you release new versions, I'll update ASAP.
Thanks for the patch !