Bug #44787 | Backup: Check privileges before executing BACKUP/RESTORE | ||
---|---|---|---|
Submitted: | 11 May 2009 12:52 | Modified: | 21 Apr 2010 17:32 |
Reporter: | Jørgen Løland | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Backup | Severity: | S3 (Non-critical) |
Version: | 6.0-backup | OS: | Any |
Assigned to: | Chuck Bell | CPU Architecture: | Any |
[11 May 2009 12:52]
Jørgen Løland
[26 May 2009 5:52]
Jørgen Løland
Related to WL#4090.
[5 Jun 2009 15:37]
Chuck Bell
This bug has been made obsolete by BUG#39580. The work done in that worklog makes this bug obsolete. It was made a duplicate so that it can be tracked along with BUG#39580.
[24 Jun 2009 19:52]
Chuck Bell
Now that the decision to not do elevated privileges in BUG#39580, this is no longer a duplicate issue. Indeed, it is still very much an issue with the current decision.
[1 Jul 2009 19:13]
Chuck Bell
<from Rafal's review of BUG#39580 patch> SUGGESTONS ---------- 2. Test additional scenarios where an explicit list of databases (more than 1) is given to BACKUP command and where RESTORE restores more than one database. User has privileges for some of the databases but not for others.
[27 Jul 2009 14:44]
Chuck Bell
This bug will have to wait until it can be decided if the privilege elevation mechanism can be made safe from the identified security vulnerability in the backup image (e.g., modifying the backup image file manually to insert malicious SQL statements). If the privilege elevation mechanism is implemented, the solution for this bug will be trivial. If the privilege elevation mechanism is *not* implemented, the solution for this bug will require extensive research to determine the precise minimal privileges needed to perform a backup and restore. Note: Research to date implies the minimal set of privileges may be context sensitive. For example, granting a certain database level privilege permits the user to 'see' all of the tables with SHOW TABLES but may not be sufficient to perform a backup that reads the metadata and data. Similarly, depending on the objects in the database, some privileges may not be required and therefore the solution may have to test for a different minimal set for each backup and restore. Setting back to 'verified' until the question of privilege elevation is answered.
[30 Sep 2009 0:29]
Chuck Bell
On 29 September, the backup team decided we would not do privilege elevation for restore and would instead do detailed privilege checking prior to executing the DROP statements for the database(s) in the backup image. This bug therefore will implement detailed privilege checking on restore. This means each object will be tested for access by the user. If the user does not have sufficient privileges, the restore will halt and not destroy any data. Furthermore, whenever possible the error message displayed shall not disclose the name of any object that fails privilege checking.
[1 Oct 2009 1:24]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/85295 2875 Chuck Bell 2009-09-30 BUG#44787 : This patch implements a prototype for the detailed privilege checking on restore. NOTICE: This is a prototype patch committed for the benefit of the backup team to evaluate the solution proposed. A formal patch will be issued later once all input is considered. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing detailed privilege checking on restore. NOTE: This is incomplete. @ sql/backup/kernel.cc Adds detailed privilege checking to the bcat_add_item() retore method. @ sql/share/errmsg-utf8.txt New error message. @ sql/share/errmsg.txt New error message.
[1 Oct 2009 1:35]
Chuck Bell
Setting back to in-progress because patch is only a prototype and should not be reviewed as complete.
[2 Oct 2009 21:19]
Chuck Bell
The patch for this work shall include a new test file containing test cases for testing restore security tasks.
[30 Oct 2009 15:55]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/88775 2887 Chuck Bell 2009-10-30 BUG#44787 : Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. Note: This is patch 1 of 3. Patch 2 implements elevation, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/t/backup_restore_security-master.opt Option file to turn on binlog for SUPER check on stored procedures and functions. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ sql/backup/kernel.cc Added code to conduct privilege checking for all objects prior to executing restore. For tables, views, and triggers the check is object-level, for tablespace it is global-level, and for all other objects it is database-level. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages.
[30 Oct 2009 15:59]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/88776 2887 Chuck Bell 2009-10-30 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. Note: This is patch 1 of 3. Patch 2 implements elevation, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/t/backup_restore_security-master.opt Option file to turn on binlog for SUPER check on stored procedures and functions. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ sql/backup/kernel.cc Added code to conduct privilege checking for all objects prior to executing restore. For tables, views, and triggers the check is object-level, for tablespace it is global-level, and for all other objects it is database-level. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages.
[30 Oct 2009 16:10]
Chuck Bell
After much discussion, we are now moving on this plan: 1) Backup elevation shall be changed to use the same mechanism as replication and shall require only the BACKUP privilege at the database-level for all databases in the backup. 2) Restore elevation shall be implemented to use the same mechanism as replication and shall require RESTORE + SUPER at the database-level for all databases in the backup image. 3) If the user does not have RESTORE + SUPER for any database in the backup image, the restore shall default to performing a pre-check of the privileges for all objects in the backup image. 4) The user shall have the option to skip the precheck by setting --skip-restore-precheck to 1 (default is 0). 5) The user shall have the option to turn off backup elevation by setting --skip-backup-elevation to 0 (default is 1).
[2 Nov 2009 18:30]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/88985 2888 Chuck Bell 2009-11-02 BUG#44787 : The backup system must be changed to meet the Server PT decision to elevate backup if BACKUP and restore if RESTORE + SUPER. This patch implements the privilege elevation change for backup as well as privilege elevation for restore iff the user has both RESTORE and SUPER on all databases in the image. The restore will fall back to object-level privilege checking if this condition is not met. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/t/backup_restore_security.test Added new test cases. Corrected error return codes. @ mysql-test/suite/backup/t/backup_security.test Corrected error return codes. @ sql/backup/backup_info.cc Added privilege elevation for backup using security context method (similar to replication). @ sql/backup/kernel.cc Added privilege elevation code for elevating iff the user has RESTORE + SUPER. Added object-level privilege checking for normal access. @ sql/backup/restore_info.h Added attributes for privilege checking. Moved privilege checking to new method. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added methods to save the access levels for turning off elevation and preserving user context. @ sql/sql_class.h Added methods to preserve privilege access.
[2 Nov 2009 18:33]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/88986 2888 Chuck Bell 2009-11-02 BUG#44787 : The backup system must be changed to meet the Server PT decision to elevate backup if BACKUP and restore if RESTORE + SUPER. This patch implements the privilege elevation change for backup as well as privilege elevation for restore iff the user has both RESTORE and SUPER on all databases in the image. The restore will fall back to object-level privilege checking if this condition is not met. Note: This is patch 2 of 3. Patch 1 implements privilege checking, patch 3 implements the options to skip precheck and turn elevation off.s @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/t/backup_restore_security.test Added new test cases. Corrected error return codes. @ mysql-test/suite/backup/t/backup_security.test Corrected error return codes. @ sql/backup/backup_info.cc Added privilege elevation for backup using security context method (similar to replication). @ sql/backup/kernel.cc Added privilege elevation code for elevating iff the user has RESTORE + SUPER. Added object-level privilege checking for normal access. @ sql/backup/restore_info.h Added attributes for privilege checking. Moved privilege checking to new method. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added methods to save the access levels for turning off elevation and preserving user context. @ sql/sql_class.h Added methods to preserve privilege access.
[2 Nov 2009 19:05]
Ingo Strüwing
Approved pending changes. See email. (Sorry for the late update of this bug report.)
[2 Nov 2009 21:57]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89009 2888 Chuck Bell 2009-11-02 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE The backup system must be changed to meet the Server PT decision to elevate backup if BACKUP and restore if RESTORE + SUPER. This patch implements the privilege elevation change for backup as well as privilege elevation for restore iff the user has both RESTORE and SUPER on all databases in the image. The restore will fall back to object-level privilege checking if this condition is not met. Note: This is patch 2 of 3. Patch 1 implements privilege checking, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/t/backup_restore_security.test Added new test cases. Corrected error return codes. @ mysql-test/suite/backup/t/backup_security.test Corrected error return codes. @ sql/backup/backup_info.cc Added privilege elevation for backup using security context method (similar to replication). @ sql/backup/kernel.cc Added privilege elevation code for elevating iff the user has RESTORE + SUPER. Added object-level privilege checking for normal access. @ sql/backup/restore_info.h Added attributes for privilege checking. Moved privilege checking to new method. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added methods to save the access levels for turning off elevation and preserving user context. @ sql/sql_class.h Added methods to preserve privilege access.
[2 Nov 2009 22:28]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89011 2889 Chuck Bell 2009-11-02 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE The backup system must be changed to meet the Server PT decision to turn off backup elevation, restore elevation, and restore prechecking by startup options and variables. This patch implements startup options and variables to do the following: backup-elevation/backup_elevation ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore-elevation/restore_elevation ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore-precheck/restore_precheck ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON Note: This is patch 3 of 3. Patch 1 implements privilege checking, patch 2 implements privilege elevation. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security_options.result New result file. @ mysql-test/suite/backup/r/backup_security_var.result New result file. @ mysql-test/suite/backup/t/backup_security_options-master.opt Option file to disable all options. @ mysql-test/suite/backup/t/backup_security_options.test New test for testing startup options. @ mysql-test/suite/backup/t/backup_security_var.test New test for testing new variables. @ sql/backup/backup_info.cc Added code to turn elevation on or off depending on option set. @ sql/backup/kernel.cc Added gates to skip privilege elevation for restore. Rearranged code to catch all combination of options. @ sql/mysqld.cc Added startup options. @ sql/set_var.cc Added variable classes. @ sql/sql_class.h Added variable declarations.
[2 Nov 2009 22:40]
Chuck Bell
The design suggestion for the options and variables have changed the plan a bit. In order to take advantage of the features for setting binary values, the startup options are now: backup-elevation (default ON) - turns on backup elevation restore-elevation (default ON) - turns on restore elevation restore-precheck (default ON) - turns on restore prechecking The equivalent variable names use _ instead of - (e.g. backup_elevation). Note: The backup-elevation was added to compliment the restore-elevation mechanism making a more complete feature set. To set the startup options, one can prepend 'enable' or 'disable' like this: ./mysqld .... --enable-backup-elevation --disable-restore-elevation. Or use the @@global to set the variable like normal.
[3 Nov 2009 23:04]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89233 2887 Chuck Bell 2009-11-03 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. Note: This is patch 1 of 3. Patch 2 implements elevation, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/r/backup_security.result Corrected resut file. @ mysql-test/suite/backup/t/backup_restore_security-master.opt Option file to turn on binlog for SUPER check on stored procedures and functions. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ sql/backup/kernel.cc Added code to conduct privilege checking for all objects prior to executing restore. For tables, views, and triggers the check is object-level, for tablespace it is global-level, and for all other objects it is database-level. @ sql/backup/restore_info.h Moved RESTORE_ACL check to new method in kernel.cc so that it occurs prior to prechecking object-level privileges. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages.
[4 Nov 2009 16:00]
Ingo Strüwing
Approved patch 2 of 3 pending changes. Please see email.
[4 Nov 2009 19:35]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89359 2888 Chuck Bell 2009-11-04 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. Note: This is patch 1 of 3. Patch 2 implements elevation, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/r/backup_security.result Corrected resut file. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ sql/backup/kernel.cc Added call to do object-level privilege checking. @ sql/backup/restore_info.h Added code to conduct privilege checking for all objects prior to executing restore. For tables, views, and triggers the check is object-level, for tablespace it is global-level, and for all other objects it is database-level. Moved RESTORE_ACL check to new method in kernel.cc so that it occurs prior to prechecking object-level privileges. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages.
[4 Nov 2009 20:44]
Chuck Bell
Privileges in the MySQL Backup feature have been changed to use the BACKUP_ACL and RESTORE + SUPER_ACL to perform elevated backup and restore. Backup ------ If the user has BACKUP_ACL on all of the databases she lists on the backup database command, the code will elevate privileges during the execution of the backup. This will permit users to backup databases that contain objects they may not have complete access. Restore ------- If the user has RESTORE_ACL for all of the databases in the backup image and has the SUPER_ACL global permission, restore shall execute with elevated privileges. If the user does not have the SUPER_ACL but does have RESTORE_ACL on all databases in the backup image, a prechecking step shall be performed prior to executing the restore whereby access for all objects is checked. If any access check fails, restore halts with an error. Note: The prechecking step is skipped for elevated restore. Note: If the user has SUEPR_ACL but does not have RESTORE_ACL for all of the databases, the prechecking step shall be performed for all objects. Options ------- backup-elevation (default ON) - turns on backup elevation restore-elevation (default ON) - turns on restore elevation restore-precheck (default ON) - turns on restore prechecking The equivalent variable names use _ instead of - (e.g. backup_elevation). Note: The backup-elevation was added to compliment the restore-elevation mechanism making a more complete feature set. To set the startup options, one can prepend 'enable' or 'disable' like this: ./mysqld .... --enable-backup-elevation --disable-restore-elevation. Or use the @@global to set the variable like normal.
[4 Nov 2009 20:56]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89360 2888 Chuck Bell 2009-11-04 [merge] BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE The backup system must be changed to meet a decision to allow elevation of privileges for backup if the user has only the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL and SUPER_ACL privileges. This patch implements the privilege elevation change for backup as well as privilege elevation for restore iff the user has both RESTORE and SUPER on all databases in the image. The restore will fall back to object-level privilege checking if this condition is not met. Note: This is patch 2 of 3. Patch 1 implements privilege checking, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/t/backup_restore_security.test Added new test cases. @ mysql-test/suite/backup/t/backup_security.test Corrected error return codes. @ sql/backup/backup_info.cc Added privilege elevation for backup using security context method (similar to replication). @ sql/backup/kernel.cc Added privilege elevation code for elevating iff the user has RESTORE + SUPER. @ sql/backup/restore_info.h Added attributes for privilege checking. Moved privilege checking to new method. @ sql/si_objects.cc Removed privilege elevation from si_objects code @ sql/sql_class.cc Added methods to set, save, restore the access levels for turning off elevation and preserving user context. @ sql/sql_class.h Added methods to set, save, and restore privilege access.
[4 Nov 2009 21:52]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89372 2889 Chuck Bell 2009-11-04 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE The backup system must be changed to meet a decision to allow elevation of privileges for backup if the user has only the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL and SUPER_ACL privileges. This patch implements the privilege elevation change for backup as well as privilege elevation for restore iff the user has both RESTORE and SUPER on all databases in the image. The restore will fall back to object-level privilege checking if this condition is not met. Note: This is patch 2 of 3. Patch 1 implements privilege checking, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/t/backup_restore_security.test Added new test cases. @ mysql-test/suite/backup/t/backup_security.test Corrected error return codes. @ sql/backup/backup_info.cc Added privilege elevation for backup using security context method (similar to replication). @ sql/backup/kernel.cc Added methods to save and restore privileges prior to and after elevation. @ sql/backup/restore_info.h Added attributes for privilege checking. Added code to do restore elevation in the check_restore_privileges() method. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added methods to set, save, restore the access levels for turning off elevation and preserving user context. @ sql/sql_class.h Added methods to set, save, and restore privilege access.
[4 Nov 2009 22:25]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89373 2890 Chuck Bell 2009-11-04 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE The backup system must be changed to meet the Server PT decision to turn off backup elevation, restore elevation, and restore prechecking by startup options and variables. This patch implements startup options and variables to do the following: backup-elevation/backup_elevation ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore-elevation/restore_elevation ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore-precheck/restore_precheck ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON Note: This is patch 3 of 3. Patch 1 implements privilege checking, patch 2 implements privilege elevation. @ mysql-test/suite/backup/r/backup_security_options.result New result file. @ mysql-test/suite/backup/r/backup_security_var.result New result file. @ mysql-test/suite/backup/t/backup_security_options-master.opt Option file to disable all options. @ mysql-test/suite/backup/t/backup_security_options.test New test for testing startup options. @ mysql-test/suite/backup/t/backup_security_var.test New test for testing new variables. @ sql/backup/backup_info.cc Added code to turn elevation on or off depending on option set. @ sql/backup/restore_info.h Added gates to skip privilege elevation for restore. Rearranged code to catch all combination of options. @ sql/mysqld.cc Added startup options. @ sql/set_var.cc Added variable classes. @ sql/sql_class.h Added variable declarations.
[5 Nov 2009 18:08]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89511 2888 Chuck Bell 2009-11-05 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. Note: This is patch 1 of 3. Patch 2 implements elevation, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/r/backup_security.result Corrected resut file. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ sql/backup/kernel.cc Added call to do object-level privilege checking. @ sql/backup/restore_info.h Added code to conduct privilege checking for all objects prior to executing restore. For tables, views, and triggers the check is object-level, for tablespace it is global-level, and for all other objects it is database-level. Moved RESTORE_ACL check to new method in kernel.cc so that it occurs prior to prechecking object-level privileges. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages.
[5 Nov 2009 18:10]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89514 2888 Chuck Bell 2009-11-05 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. The object-level privileges checked include the following. RESTORE,CREATE,DROP on db CREATE on db.x (if table or view x) CREATE_TABLESPACE on *.* (if tablespace) SUPER on *.* (if view, stored routine, event or trigger) CREATE_PROC on db.* (if stored routine) EVENT on db.* (if event) GRANT on db.* (if privilege) TRIGGER on db.* (if trigger but table not found) TRIGGER on db.t (if trigger on t) Note: This is patch 1 of 3. Patch 2 implements elevation, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/r/backup_security.result Corrected resut file. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ sql/backup/kernel.cc Added call to do object-level privilege checking. @ sql/backup/restore_info.h Added code to conduct privilege checking for all objects prior to executing restore. For tables, views, and triggers the check is object-level, for tablespace it is global-level, and for all other objects it is database-level. Moved RESTORE_ACL check to new method in kernel.cc so that it occurs prior to prechecking object-level privileges. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages.
[5 Nov 2009 19:06]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89515 2889 Chuck Bell 2009-11-05 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE The backup system must be changed to meet a decision to allow elevation of privileges for backup if the user has only the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL and SUPER_ACL privileges. This patch implements the privilege elevation change for backup as well as privilege elevation for restore iff the user has both RESTORE and SUPER on all databases in the image. The restore will fall back to object-level privilege checking if this condition is not met. Note: This is patch 2 of 3. Patch 1 implements privilege checking, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/t/backup_restore_security.test Added new test cases. @ mysql-test/suite/backup/t/backup_security.test Corrected error return codes. @ sql/backup/backup_info.cc Added privilege elevation for backup using security context method (similar to replication). @ sql/backup/kernel.cc Added methods to save and restore privileges prior to and after elevation. @ sql/backup/restore_info.h Added attributes for privilege checking. Added code to do restore elevation in the check_restore_privileges() method. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added methods to set, save, restore the access levels for turning off elevation and preserving user context. @ sql/sql_class.h Added methods to set, save, and restore privilege access.
[5 Nov 2009 19:40]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89518 2890 Chuck Bell 2009-11-05 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE The backup system must be changed to meet the Server PT decision to turn off backup elevation, restore elevation, and restore prechecking by startup options and variables. This patch implements startup options and variables to do the following: backup-elevation/backup_elevation ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore-elevation/restore_elevation ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore-precheck/restore_precheck ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON Note: This is patch 3 of 3. Patch 1 implements privilege checking, patch 2 implements privilege elevation. @ mysql-test/suite/backup/r/backup_security_options.result New result file. @ mysql-test/suite/backup/r/backup_security_var.result New result file. @ mysql-test/suite/backup/t/backup_security_options-master.opt Option file to disable all options. @ mysql-test/suite/backup/t/backup_security_options.test New test for testing startup options. @ mysql-test/suite/backup/t/backup_security_var.test New test for testing new variables. @ sql/backup/backup_info.cc Added code to turn elevation on or off depending on option set. @ sql/backup/restore_info.h Added gates to skip privilege elevation for restore. Rearranged code to catch all combination of options. @ sql/mysqld.cc Added startup options. @ sql/set_var.cc Added variable classes. @ sql/sql_class.h Added variable declarations.
[6 Nov 2009 13:40]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89594 2890 Chuck Bell 2009-11-06 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE The backup system must be changed to allow users to adjust the privilege behavior of MySQL Backup by allowing then to turn off backup elevation, restore elevation, and restore prechecking using startup options and/or variables. This patch implements startup options and variables to do the following: backup_elevation ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore_elevation ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore_precheck ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON Note: This is patch 3 of 3. Patch 1 implements privilege checking, patch 2 implements privilege elevation. @ mysql-test/suite/backup/r/backup_security_options.result New result file. @ mysql-test/suite/backup/r/backup_security_var.result New result file. @ mysql-test/suite/backup/t/backup_security_options-master.opt Option file to disable all options. @ mysql-test/suite/backup/t/backup_security_options.test New test for testing startup options. @ mysql-test/suite/backup/t/backup_security_var.test New test for testing new variables. @ sql/backup/backup_info.cc Added code to turn elevation on or off depending on option set. @ sql/backup/restore_info.h Added gates to skip privilege elevation for restore. Rearranged code to catch all combination of options. @ sql/mysqld.cc Added startup options. @ sql/set_var.cc Added variable classes. @ sql/sql_class.h Added variable declarations.
[6 Nov 2009 14:48]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/89608 2888 Chuck Bell 2009-11-06 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. The object-level privileges checked include the following. RESTORE,CREATE,DROP on db.* CREATE on db.x (if table or view x) CREATE_TABLESPACE on *.* (if tablespace) SUPER on *.* (if view, stored routine, event or trigger) CREATE_PROC on db.* (if stored routine) EVENT on db.* (if event) GRANT on db.* (if privilege) TRIGGER on db.* (if trigger but table not found) TRIGGER on db.t (if trigger on t) Note: This is patch 1 of 3. Patch 2 implements elevation, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/include/error_name_to_number.inc Added new error code for debug insertion testing. @ mysql-test/suite/backup/r/backup_errors_debug_3.result Corrected resut file. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/r/backup_security.result Corrected resut file. @ mysql-test/suite/backup/t/backup_errors_debug_3.test Added test case for when db is not found in catalog. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ sql/backup/kernel.cc Added call to do object-level privilege checking. @ sql/backup/restore_info.h Added code to conduct privilege checking for all objects prior to executing restore. For tables, views, and triggers the check is object-level, for tablespace it is global-level, and for all other objects it is database-level. Moved RESTORE_ACL check to new method in kernel.cc so that it occurs prior to prechecking object-level privileges. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages.
[11 Nov 2009 16:51]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/90121 2888 Chuck Bell 2009-11-11 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. The object-level privileges checked include the following. RESTORE,CREATE,DROP on db.* CREATE on db.x (if table or view x) CREATE_TABLESPACE on *.* (if tablespace) SUPER on *.* (if view, stored routine, event or trigger) CREATE_PROC on db.* (if stored routine) EVENT on db.* (if event) GRANT on db.* (if privilege) TRIGGER on db.* (if trigger but table not found) TRIGGER on db.t (if trigger on t) Note: This is patch 1 of 3. Patch 2 implements elevation, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/include/error_name_to_number.inc Added new error code for debug insertion testing. @ mysql-test/suite/backup/r/backup_errors_debug_3.result Corrected resut file. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/r/backup_security.result Corrected resut file. @ mysql-test/suite/backup/t/backup_errors_debug_3.test Added test case for when db is not found in catalog. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ sql/backup/kernel.cc Added call to do object-level privilege checking. @ sql/backup/restore_info.h Added code to conduct privilege checking for all objects prior to executing restore. For tables, views, and triggers the check is object-level, for tablespace it is global-level, and for all other objects it is database-level. Moved RESTORE_ACL check to new method in kernel.cc so that it occurs prior to prechecking object-level privileges. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages.
[11 Nov 2009 21:29]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/90167 2889 Chuck Bell 2009-11-11 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE The backup system must be changed to meet a decision to allow elevation of privileges for backup if the user has only the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL and SUPER_ACL privileges. This patch implements the privilege elevation change for backup as well as privilege elevation for restore iff the user has both RESTORE and SUPER on all databases in the image. The restore will fall back to object-level privilege checking if this condition is not met. Note: This is patch 2 of 3. Patch 1 implements privilege checking, patch 3 implements the options to skip precheck and turn elevation off. @ mysql-test/suite/backup/r/backup_errors_debug_3.result Corrected result file. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/t/backup_errors_debug_3.test Must turn off this test case until we can turn off elevation because the debug insertion code is in the prechecking code. @ mysql-test/suite/backup/t/backup_restore_security.test Added new test cases. @ mysql-test/suite/backup/t/backup_security.test Corrected error return codes. @ sql/backup/backup_info.cc Added privilege elevation for backup using security context method (similar to replication). @ sql/backup/kernel.cc Added methods to save and restore privileges prior to and after elevation. Added code to call the new check_restore_elevation() method. Added check to ensure elevation is OFF before doing prechecking. @ sql/backup/restore_info.h Added attributes for privilege checking. Added code to do restore elevation in the check_restore_elevation() method. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added methods to set, save, restore the access levels for turning off elevation and preserving user context. @ sql/sql_class.h Added methods to set, save, and restore privilege access.
[13 Nov 2009 18:20]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/90387 2889 Chuck Bell 2009-11-13 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE There are three problems that have been identified for this bug. 1) Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. The object-level privileges checked include the following. RESTORE,CREATE,DROP on db.* CREATE on db.x (if table or view x) CREATE_TABLESPACE on *.* (if tablespace) SUPER on *.* (if view, stored routine, event or trigger) CREATE_PROC on db.* (if stored routine) EVENT on db.* (if event) GRANT on db.* (if privilege) TRIGGER on db.* (if trigger but table not found) TRIGGER on db.t (if trigger on t) 2) The backup system must be changed to permit the elevation of privileges for backup if the user has the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL on all databases and the global SUPER_ACL privilege. This patch implements the privilege elevation change for backup as well as privilege elevation for restore. The restore will fall back to object-level privilege checking if the conditions for restore are not met. 3) The backup system must be changed to allow users to adjust the privilege behavior of MySQL Backup by allowing them to turn off backup elevation, restore elevation, and restore prechecking using startup options and/or variables. This patch implements startup options and variables to do the following: backup_elevation ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore_elevation ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore_precheck ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON @ mysql-test/suite/backup/include/error_name_to_number.inc Added new error code for debug testing. @ mysql-test/suite/backup/r/backup_errors_debug_3.result Corrected result file. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security_options.result New test for testing startup options. @ mysql-test/suite/backup/r/backup_security_var.result New result file. @ mysql-test/suite/backup/t/backup_errors_debug_3.test Added new test cases for debug error testing of new errors. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ mysql-test/suite/backup/t/backup_security_options-master.opt Option file to disable all options. @ mysql-test/suite/backup/t/backup_security_options.test New test for testing startup options. @ mysql-test/suite/backup/t/backup_security_var.test New test for testing new variables. @ sql/backup/CMakeLists.txt Added new source file. @ sql/backup/Makefile.am Added new source file. @ sql/backup/backup_info.cc Added code for backup elevation. @ sql/backup/backup_kernel.h Added parameter for checking elevation. @ sql/backup/kernel.cc Added calls to save original privileges and elevate privileges if conditions are met. Included checks for options and variables to turn off prechecking, backup elevation, and restore elevation. @ sql/backup/restore_info.h Added parameter for controlling prechecking. Moved privilege checking to new prechecking method. @ sql/mysqld.cc Added startup options. @ sql/set_var.cc Added variable classes. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added variable classes. @ sql/sql_class.h Added variable declarations. @ sql/sql_parse.cc Added parameter for skipping prechecking.
[16 Nov 2009 14:12]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/90510 2889 Chuck Bell 2009-11-16 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE There are three problems that have been identified for this bug. 1) Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. The object-level privileges checked include the following. RESTORE,CREATE,DROP on db.* CREATE on db.x (if table or view x) CREATE_TABLESPACE on *.* (if tablespace) SUPER on *.* (if view, stored routine, event or trigger) CREATE_PROC on db.* (if stored routine) EVENT on db.* (if event) GRANT on db.* (if privilege) TRIGGER on db.* (if trigger but table not found) TRIGGER on db.t (if trigger on t) 2) The backup system must be changed to permit the elevation of privileges for backup if the user has the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL on all databases and the global SUPER_ACL privilege. This patch implements the privilege elevation change for backup as well as privilege elevation for restore. The restore will fall back to object-level privilege checking if the conditions for restore are not met. 3) The backup system must be changed to allow users to adjust the privilege behavior of MySQL Backup by allowing them to turn off backup elevation, restore elevation, and restore prechecking using startup options and/or variables. This patch implements startup options and variables to do the following: backup_elevation ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore_elevation ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore_precheck ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON @ mysql-test/suite/backup/include/error_name_to_number.inc Added new error code for debug testing. @ mysql-test/suite/backup/r/backup_errors_debug_3.result Corrected result file. @ mysql-test/suite/backup/r/backup_restore_security.result New result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security_options.result New test for testing startup options. @ mysql-test/suite/backup/r/backup_security_var.result New result file. @ mysql-test/suite/backup/t/backup_errors_debug_3.test Added new test cases for debug error testing of new errors. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ mysql-test/suite/backup/t/backup_security_options-master.opt Option file to disable all options. @ mysql-test/suite/backup/t/backup_security_options.test New test for testing startup options. @ mysql-test/suite/backup/t/backup_security_var.test New test for testing new variables. @ sql/backup/CMakeLists.txt Added new source file. @ sql/backup/Makefile.am Added new source file. @ sql/backup/backup_info.cc Added code for backup elevation. @ sql/backup/backup_kernel.h Added parameter for checking elevation. @ sql/backup/kernel.cc Added calls to save original privileges and elevate privileges if conditions are met. Included checks for options and variables to turn off prechecking, backup elevation, and restore elevation. @ sql/backup/restore_info.cc New code file. @ sql/backup/restore_info.h Added parameter for controlling prechecking. Moved privilege checking to new prechecking method. @ sql/mysqld.cc Added startup options. @ sql/set_var.cc Added variable classes. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added variable classes. @ sql/sql_class.h Added variable declarations. @ sql/sql_parse.cc Added parameter for skipping prechecking.
[16 Nov 2009 21:37]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/90578 2891 Chuck Bell 2009-11-16 [merge] BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE There are three problems that have been identified for this bug. 1) Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. The object-level privileges checked include the following. RESTORE,CREATE,DROP on db.* CREATE on db.x (if table or view x) CREATE_TABLESPACE on *.* (if tablespace) SUPER on *.* (if view, stored routine, event or trigger) CREATE_PROC on db.* (if stored routine) EVENT on db.* (if event) GRANT on db.* (if privilege) TRIGGER on db.* (if trigger but table not found) TRIGGER on db.t (if trigger on t) 2) The backup system must be changed to permit the elevation of privileges for backup if the user has the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL on all databases and the global SUPER_ACL privilege. This patch implements the privilege elevation change for backup as well as privilege elevation for restore. The restore will fall back to object-level privilege checking if the conditions for restore are not met. 3) The backup system must be changed to allow users to adjust the privilege behavior of MySQL Backup by allowing them to turn off backup elevation, restore elevation, and restore prechecking using startup options and/or variables. This patch implements startup options and variables to do the following: backup_elevation ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore_elevation ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore_precheck ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON @ mysql-test/suite/backup/include/error_name_to_number.inc Added new error code for debug testing. @ mysql-test/suite/backup/r/backup_errors_debug_3.result Corrected result file. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security_options.result New result file. @ mysql-test/suite/backup/r/backup_security_var.result New result file. @ mysql-test/suite/backup/t/backup_errors_debug_3.test Added new test cases for debug error testing of new errors. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ mysql-test/suite/backup/t/backup_security_options-master.opt Option file to disable all options. @ mysql-test/suite/backup/t/backup_security_options.test New test for testing startup options. @ mysql-test/suite/backup/t/backup_security_var.test New test for testing new variables. @ sql/backup/CMakeLists.txt Added new source file. @ sql/backup/Makefile.am Added new source file. @ sql/backup/backup_info.cc Added code for backup elevation. @ sql/backup/kernel.cc Added calls to save original privileges and elevate privileges if conditions are met. @ sql/backup/restore_info.cc New code file. Implements prechecking method. @ sql/backup/restore_info.h Added attribute to determine if it is safe to elevate restore. Moved privilege checking to new prechecking method. @ sql/mysqld.cc Added startup options. @ sql/set_var.cc Added variable classes. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added variable classes. @ sql/sql_class.h Added variable declarations.
[17 Nov 2009 11:50]
Rafal Somla
Approved pending minor fixes of the patch.
[20 Nov 2009 21:20]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/91170 2891 Chuck Bell 2009-11-20 [merge] BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE WL#5172 : MySQL Backup elevation options There are three problems that have been identified for this bug. 1) Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. The object-level privileges checked include the following. RESTORE,CREATE,DROP on db.* CREATE on db.x (if table or view x) CREATE_TABLESPACE on *.* (if tablespace) SUPER on *.* (if view, stored routine, event or trigger) CREATE_PROC on db.* (if stored routine) EVENT on db.* (if event) GRANT on db.* (if privilege) TRIGGER on db.* (if trigger but table not found) TRIGGER on db.t (if trigger on t) 2) The backup system must be changed to permit the elevation of privileges for backup if the user has the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL on all databases and the global SUPER_ACL privilege. This patch implements the privilege elevation change for backup as well as privilege elevation for restore. The restore will fall back to object-level privilege checking if the conditions for restore are not met. 3) The backup system must be changed to allow users to adjust the privilege behavior of MySQL Backup by allowing them to turn off backup elevation, restore elevation, and restore prechecking using startup options and/or variables. This patch implements startup options and global + session variables to do the following: backup_elevation ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore_elevation ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore_precheck ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON @ mysql-test/suite/backup/include/error_name_to_number.inc Added new error code for debug testing. @ mysql-test/suite/backup/r/backup_errors_debug_3.result Corrected result file. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security_options.result New result file. @ mysql-test/suite/backup/r/backup_security_var.result New result file. @ mysql-test/suite/backup/t/backup_errors_debug_3.test Added new test cases for debug error testing of new errors. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ mysql-test/suite/backup/t/backup_security_options-master.opt Option file to disable all options. @ mysql-test/suite/backup/t/backup_security_options.test New test for testing startup options. @ mysql-test/suite/backup/t/backup_security_var.test New test for testing new variables. @ sql/backup/CMakeLists.txt Added new source file. @ sql/backup/Makefile.am Added new source file. @ sql/backup/backup_info.cc Added code for backup elevation. @ sql/backup/kernel.cc Added calls to save original privileges and elevate privileges if conditions are met. @ sql/backup/restore_info.cc New code file. Implements prechecking method. @ sql/backup/restore_info.h Added attribute to determine if it is safe to elevate restore. Moved privilege checking to new prechecking method. @ sql/mysqld.cc Added startup options. @ sql/set_var.cc Added variable classes. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added variable classes. @ sql/sql_class.h Added variable declarations.
[24 Nov 2009 18:51]
Ingo Strüwing
Approved pending changes. Please see email. Expecting answers back.
[25 Nov 2009 22:24]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/91716 2891 Chuck Bell 2009-11-25 [merge] BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE WL#5172 : MySQL Backup elevation options There are three problems that have been identified for this bug. 1) Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. The object-level privileges checked include the following. RESTORE,CREATE,DROP on db.* CREATE on db.x (if table or view x) CREATE_TABLESPACE on *.* (if tablespace) SUPER on *.* (if view, stored routine, event or trigger) CREATE_PROC on db.* (if stored routine) EVENT on db.* (if event) GRANT on db.* (if privilege) TRIGGER on db.* (if trigger but table not found) TRIGGER on db.t (if trigger on t) 2) The backup system must be changed to permit the elevation of privileges for backup if the user has the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL on all databases and the global SUPER_ACL privilege. This patch implements the privilege elevation change for backup as well as privilege elevation for restore. The restore will fall back to object-level privilege checking if the conditions for restore are not met. 3) The backup system must be changed to allow users to adjust the privilege behavior of MySQL Backup by allowing them to turn off backup elevation, restore elevation, and restore prechecking using startup options. It shall also permit the user to turn restore prechecking on or off via a variable. This patch implements the following: backup_elevation - startup option, global read only variable ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore_elevation - startup option, global read only variable ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore_precheck - startup option, global and session variable ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON @ mysql-test/suite/backup/include/error_name_to_number.inc Added new error code for debug testing. @ mysql-test/suite/backup/r/backup_errors_debug_3.result Corrected result file. @ mysql-test/suite/backup/r/backup_restore_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security.result Corrected result file. @ mysql-test/suite/backup/r/backup_security_options.result New result file. @ mysql-test/suite/backup/r/backup_security_var.result New result file. @ mysql-test/suite/backup/t/backup_errors_debug_3.test Added new test cases for debug error testing of new errors. @ mysql-test/suite/backup/t/backup_restore_security-master.opt Option file to disable backup and restore elevation options. @ mysql-test/suite/backup/t/backup_restore_security.test New test for testing restore security prechecks. @ mysql-test/suite/backup/t/backup_security.test Corrected errors now that restore prechecking is complete. @ mysql-test/suite/backup/t/backup_security_options-master.opt Option file to disable all options. @ mysql-test/suite/backup/t/backup_security_options.test New test for testing startup options. @ mysql-test/suite/backup/t/backup_security_var.test New test for testing new variables. @ sql/backup/CMakeLists.txt Added new source file. @ sql/backup/Makefile.am Added new source file. @ sql/backup/api_types.h Added external declarations for compilation. @ sql/backup/backup_info.cc Added code for backup elevation. @ sql/backup/kernel.cc Added calls to save original privileges and elevate privileges if conditions are met. @ sql/backup/restore_info.cc New code file. Implements prechecking method. @ sql/backup/restore_info.h Added attribute to determine if it is safe to elevate restore. Moved privilege checking to new prechecking method. @ sql/mysqld.cc Added startup options. @ sql/set_var.cc Added variable classes. @ sql/share/errmsg-utf8.txt New error messages. @ sql/share/errmsg.txt New error messages. @ sql/si_objects.cc Removed privilege elevation from si_objects code. @ sql/sql_class.cc Added variable classes. @ sql/sql_class.h Added variable declarations.
[30 Nov 2009 15:14]
Ingo Strüwing
Approved. Though I wish, the coppyright would be claimed for 2009, not 2008.
[21 Dec 2009 19:31]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/95304 3022 Chuck Bell 2009-12-21 BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE WL#5172 : MySQL Backup elevation options There are three problems that have been identified for this bug. 1) Restore can fail in the middle if the user does not have sufficient privileges to create and populate all of the objects. This patch implements a privilege precheck step to check all objects for proper access. If any object fails the privilege check, restore halts with an error. The object-level privileges checked include the following. RESTORE,CREATE,DROP on db.* CREATE on db.x (if table or view x) CREATE_TABLESPACE on *.* (if tablespace) SUPER on *.* (if view, stored routine, event or trigger) CREATE_PROC on db.* (if stored routine) EVENT on db.* (if event) GRANT on db.* (if privilege) TRIGGER on db.* (if trigger but table not found) TRIGGER on db.t (if trigger on t) 2) The backup system must be changed to permit the elevation of privileges for backup if the user has the BACKUP_ACL privilege and elevation of privileges for restore if the user has the RESTORE_ACL on all databases and the global SUPER_ACL privilege. This patch implements the privilege elevation change for backup as well as privilege elevation for restore. The restore will fall back to object-level privilege checking if the conditions for restore are not met. 3) The backup system must be changed to allow users to adjust the privilege behavior of MySQL Backup by allowing them to turn off backup elevation, restore elevation, and restore prechecking using startup options. It shall also permit the user to turn restore prechecking on or off via a variable. This patch implements the following: backup_elevation - startup option, global read only variable ON = turn on backup elevation OFF = turn off backup elevation Note: Default is ON restore_elevation - startup option, global read only variable ON = turn on restore elevation OFF = turn off restore elevation Note: Default is ON restore_precheck - startup option, global and session variable ON = turn on restore precheck OFF = turn off restore precheck Note: Default is ON original changeset: 2899 (from mysql-6.0-backup) @ sql/backup/restore_info.cc New code file. Implements prechecking method.
[20 Feb 2010 9:18]
Bugs System
Pushed into 6.0.14-alpha (revid:ingo.struewing@sun.com-20100218152520-s4v1ld76bif06eqn) (version source revid:ingo.struewing@sun.com-20100119103538-wtp5alpz4p2jayl5) (merge vers: 6.0.14-alpha) (pib:16)
[21 Apr 2010 17:32]
Paul DuBois
Noted in 6.0.14 changelog. The BACKUP DATABASE statement could fail even if the user had all privileges for backed-up objects. The RESTORE statement could fail in the middle if the user did not have sufficient privileges to access all objects in the backup image. To deal with such problems, the privileges required for backup and restore operations are established to be as follows: To deal with such problems, the privileges required for backup and restore operations are established to be as follows: For BACKUP DATABASE, the user must have the BACKUP privilege for each database to back up. For RESTORE, the user must have the RESTORE privilege for each database in the backup image. In addition, internal privilege elevation is used to enable backup and restore to to succeed even if the user does not otherwise have privileges to access the objects in the image. Privilege elevation is controlled by three new system variables: * backup_elevation: To use the BACKUP DATABASE statement, a user must have the BACKUP for each database to be included in the backup image. Assuming that this is true, the backup_elevation variable determines whether privilege elevation occurs internally. If this variable is enabled (the default), privilege elevation occurs and enables the backup to succeed even if the user does not have the privileges required to access all objects in the backup image. If the variable is disabled, privilege elevation does not occur and an error occurs if the user does not have the privileges required to access all objects. * restore_elevation: To use the RESTORE statement, a user must have the RESTORE privilege for each database in the backup image. Assuming that this is true, the restore_elevation variable determines, in conjunction with whether the user also has the SUPER privilege, whether privilege elevation occurs internally. If this variable is enabled (the default) and the user has SUPER, privilege elevation occurs and enables the restore to succeed even if the user does not have the privileges required to access all objects in the backup image. If the variable is disabled or the user does not have SUPER, privilege elevation does not occur and an error occurs if the user does not have the required privileges privileges. In the absence of privilege elevation, the restore either performs privilege prechecking before attempting to restore objects or checks privileges for each object before restoring it. The restore_precheck variable determines whether prechecking occurs. * restore_precheck: This variable determines whether privilege prechecking is used when the RESTORE statement does not use privilege elevation. (Elevation is not used if the restore_elevation variable is disabled or the user does not have the SUPER privilege.) When privilege elevation does not occur and restore_precheck is enabled (the default), the restore attempts to determine, before restoring any objects from the backup image, whether the user has all privileges required to access all the objects, and fails with an error if not. If restore_precheck is disabled, prechecking does not occur and the restore performs privilege checking for each object before restoring it. In this case, the restore operation could fail in the middle due to errors resulting from insufficient privileges.