Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TiDB does not reject connection for mismatched user when using auth_socket plugin #54031

Closed
lcwangchao opened this issue Jun 14, 2024 · 1 comment · Fixed by #54032
Closed

TiDB does not reject connection for mismatched user when using auth_socket plugin #54031

lcwangchao opened this issue Jun 14, 2024 · 1 comment · Fixed by #54032
Labels
affects-6.5 affects-7.1 affects-7.5 affects-8.1 severity/major sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.

Comments

@lcwangchao
Copy link
Collaborator

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

  1. Create a new user with auth_socket plugin:
CREATE USER 'u1'@'localhost' IDENTIFIED WITH auth_socket;
  1. connect TiDB with MySQL client (my current system user is wangchao)
$ whoami
wangchao

$ mysql --comments -uu1 -S/tmp/tidb-4001.sock

2. What did you expect to see? (Required)

The connection should be rejected because the current system user and TiDB user are not the same:

$ mysql --comments -uu1 -S/tmp/tidb-4001.sock
ERROR 1045 (28000): Access denied for user 'u1'@'localhost' (using password: NO)

See descriptions in MySQL doc :

The socket plugin checks whether the socket user name (the operating system user name) matches the MySQL user name specified by the client program to the server. If the names do not match, the plugin checks whether the socket user name matches the name specified in the authentication_string column of the mysql.user system table row. If a match is found, the plugin permits the connection.

3. What did you see instead (Required)

However, it succeed in TiDB

> whoami
wangchao
> mysql --comments -uu1 -S/tmp/tidb-4001.sock
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2097162
Server version: 8.0.11-TiDB-None TiDB Server (Apache License 2.0) Community Edition, MySQL 8.0 compatible

Copyright (c) 2000, 2024, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| u1@localhost   |
+----------------+
1 row in set (0.00 sec)

4. What is your TiDB version? (Required)

This is introduced by #37052 and seems to affect 6.5 and the subsequent versions
@lcwangchao lcwangchao added type/bug The issue is confirmed as a bug. severity/major labels Jun 14, 2024
@CbcWestwolf
Copy link
Member

The issue is introduced in https://github.com/pingcap/tidb/pull/37052/files#diff-ab45ee964aa54fd5098ef7bad57ba67681285cbf9c847ee7a4905b8cfcfe0df2L332-L336

@lcwangchao lcwangchao mentioned this issue Jun 14, 2024
Merged
13 tasks
@ti-chi-bot ti-chi-bot bot closed this as completed in 72d22d6 Jun 17, 2024
This was referenced Jun 17, 2024
Merged
Merged
Merged
Merged
ti-chi-bot bot pushed a commit that referenced this issue Jun 17, 2024
@ti-chi-bot
privilege: fix auth_socket bug, should only allow os user name to l…
9246fff 
…ogin (#54032) (#54050)

close #54031
ti-chi-bot bot pushed a commit that referenced this issue Jun 18, 2024
@ti-chi-bot
privilege: fix auth_socket bug, should only allow os user name to l…
b75a314 
…ogin (#54032) (#54051)

close #54031
ti-chi-bot bot pushed a commit that referenced this issue Jun 18, 2024
@ti-chi-bot
privilege: fix auth_socket bug, should only allow os user name to l…
d179476 
…ogin (#54032) (#54052)

close #54031
yzhan1 pushed a commit to yzhan1/tidb that referenced this issue Jun 19, 2024
@lcwangchao @yzhan1
privilege: fix auth_socket bug, should only allow os user name to l…
b5316a5 
…ogin (pingcap#54032)

close pingcap#54031
ti-chi-bot bot pushed a commit that referenced this issue Jun 20, 2024
@ti-chi-bot
privilege: fix auth_socket bug, should only allow os user name to l…
4ffd88c 
…ogin (#54032) (#54049)

close #54031
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-6.5 affects-7.1 affects-7.5 affects-8.1 severity/major sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

privilege: fix auth_socket bug, should only allow os user name to login lcwangchao/tidb
2 participants
@lcwangchao @CbcWestwolf