MySQL Bugs: #45606: ACL requires IPv4-mapped addresses to be used

Bug #45606	ACL requires IPv4-mapped addresses to be used
Submitted:	19 Jun 2009 10:10	Modified:	7 Mar 2010 2:15
Reporter:	Alexander Nozdrin	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: General	Severity:	S3 (Non-critical)
Version:	5.4	OS:	Any
Assigned to:	Alexander Nozdrin	CPU Architecture:	Any

Description:
After IPv6 patch, IPv4 addresses are converted to IPv4-mapped form.
That makes grants in a form of <username>@<ipv4 address> unusable.

Workaround: for each IPv4 address add a grant in a for of IPv4-mapped
address.

How to repeat:
$ mysql -u root # -- Connect using UNIX sockets;

> SELECT user, host FROM mysql.user;
+------+---------------+
| user | host          |
+------+---------------+
| root | 127.0.0.1     | 
| root | localhost     | 
+------+---------------+

> GRANT ALL PRIVILEGES ON *.* TO u1@192.168.1.101;
OK

> SELECT user, host FROM mysql.user;
+------+---------------+
| user | host          |
+------+---------------+
| root | 127.0.0.1     | 
| u1   | 192.168.1.101 | 
| root | localhost     | 
+------+---------------+

---------------------------------------------

$ mysql --protocol=tcp -u u1 -h 192.168.1.101
ERROR 1130 (HY000): Host 'quad' is not allowed to connect to this MySQL server

---------------------------------------------

$ mysql -u root # -- Connect using UNIX sockets;

> GRANT ALL PRIVILEGES ON *.* TO u1@'::ffff:192.168.1.1';
OK

> SELECT user, host FROM mysql.user;
+------+----------------------+
| user | host                 |
+------+----------------------+
| root | 127.0.0.1            | 
| u1   | 192.168.1.101        | 
| u1   | ::ffff:192.168.1.101 | 
| root | localhost            | 
+------+----------------------+

---------------------------------------------

$ mysql --protocol=tcp -u u1 -h 192.168.1.101
OK

I would also like to report the same behavior in Cluster 7.0.6.
THere is also an additional problem with skip-resolve-names on. It seems that with this on, even the mapped addresses don't work as MySQL says it needs resolution turned on for mapped addresses to work. This seems incorrect behavior.

--- ON SERVER 

# mysql -h localhost -P 3307 -p mysql
Server version: 5.1.34-ndb-7.0.6-cluster-gpl-log MySQL Cluster Server (GPL)

mysql> GRANT ALL ON mysql.* TO test@'::ffff:10.10.10.16';
Query OK, 0 rows affected, 1 warning (0.02 sec)

mysql> show warnings;
+---------+------+--------------------------------------------------------------------------------------------------------------+
| Level   | Code | Message                                                                                                      |
+---------+------+--------------------------------------------------------------------------------------------------------------+
| Warning | 1285 | MySQL is started in --skip-name-resolve mode; you must restart it without this switch for this grant to work |
+---------+------+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.03 sec)

mysql> select user,host from user where user='test';
+------+--------------------+
| user | host               |
+------+--------------------+
| test | ::ffff:10.10.10.16 |
+------+--------------------+
1 row in set (0.00 sec)

--- ON CLIENT
# mysql -h 10.10.10.17 -P 3307 -u test mysql
ERROR 1045 (28000): Access denied for user 'test'@'::ffff:10.10.10.16' (using password: NO)

This works though:

mysql> GRANT ALL ON mysql.* TO test@'%10.10.10.16';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

# mysql -h 10.10.10.17 -P 3307 -u test mysql
mysql>

Thanx,

-Tony

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/77641

2805 Alexander Nozdrin	2009-07-01
      A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used).
      
      The problem is that if IPv6 is available, getpeername() returns
      all addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped).
      The server uses the IP string returned by getpeername() to authorize
      connected clients. So, if ACL contains an ordinary IPv4 address,
      it will not be matched, because it is compared against IPv4-mapped address.
      
      The fix is to use ordinary IPv4 address if IPv4-mapped address is detected.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/77822

2805 Alexander Nozdrin	2009-07-02
      A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used).
      
      The problem is that if IPv6 is available, getpeername() returns all
      addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped).
      The server uses the IP string returned by getpeername() to authorize
      connected clients. So, if ACL contains an ordinary IPv4 address, it will
      not be matched, because it is compared against IPv4-mapped address.
      
      The fix is to use ordinary IPv4 address if IPv4-mapped address is detected.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/79430

2805 Alexander Nozdrin	2009-07-28
      A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used).
      
      The problem is that if IPv6 is available, getpeername() returns all
      addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped).
      The server uses the IP string returned by getpeername() to authorize
      connected clients. So, if ACL contains an ordinary IPv4 address, it will
      not be matched, because it is compared against IPv4-mapped address.
      
      The fix is to use ordinary IPv4 address if IPv4-mapped address is detected.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/80182

2804 Alexander Nozdrin	2009-08-05
      A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used).
      
      The problem is that if IPv6 is available, getpeername() returns all
      addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped).
      The server uses the IP string returned by getpeername() to authorize
      connected clients. So, if ACL contains an ordinary IPv4 address, it will
      not be matched, because it is compared against IPv4-mapped address.
      
      The fix is to use ordinary IPv4 addresses for IPv4-mapped or
      IPv4-compatible IPv6 addresses.
      
      A new build option has been also added to configure.in: --disable-ipv6.
      If this option is specified, all IPv6-specific code will be compiled out
      from the server. NOTE: if this option is misused, it may break the server:
      in IPv6-enabled environments, getnameinfo() will still return IPv6 addresses,
      but the server will not be able to handle that.
     @ configure.in
        HAVE_STRUCT_IN6_ADDR will be defined when IPv6 is supported.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/80197

2843 Alexander Nozdrin	2009-08-05
      A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used).
      
      The problem is that if IPv6 is available, getpeername() returns all
      addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped).
      The server uses the IP string returned by getpeername() to authorize
      connected clients. So, if ACL contains an ordinary IPv4 address, it will
      not be matched, because it is compared against IPv4-mapped address.
      
      The fix is to use ordinary IPv4 addresses for IPv4-mapped or
      IPv4-compatible IPv6 addresses.
      
      A new build option has been also added to configure.in: --disable-ipv6.
      If this option is specified, all IPv6-specific code will be compiled out
      from the server. NOTE: if this option is misused, it may break the server:
      in IPv6-enabled environments, getnameinfo() will still return IPv6 addresses,
      but the server will not be able to handle that.

Patch queued into azalea-bugfixing.

Pushed into 5.4.4-alpha (revid:alik@sun.com-20090824135126-2rngffvth14a8bpj) (version source revid:alik@sun.com-20090805173937-fcv1fdveodq5x9gb) (merge vers: 5.4.4-alpha) (pib:11)

Documented bugfix in the 5.4.4 and NDB-7.0.7 changelogs as follows:

        For an IPv6-enabled MySQL server, privileges specified using
        standard IPv4 addresses for hosts were not matched (only
        IPv4-mapped addresses were handled correctly).

        As part of the fix for this bug, a new build option
        --disable-ipv6 has been introduced. Compiling MySQL with this
        option causes all IPv6-specific code in the server to be
        ignored. IMPORTANT: If the server is compiled using 
        --disable-ipv6, it is not able to resolve hostnames correctly 
        when run in an IPv6 environment.

Closed.

Noted in 6.0.14 changelog.

Pushed into 5.6.0-beta (revid:alik@sun.com-20091202160026-699xnqx8c6a6t2lk) (version source revid:alik@sun.com-20091125105323-j82ts9ns936i45vv) (merge vers: 5.6.0-beta) (pib:13)

Pushed into 6.0.14-alpha (revid:alik@sun.com-20091202161413-u81nw1foglcu7nao) (version source revid:alik@sun.com-20091125105553-vvedtv1bpmugb1nj) (merge vers: 6.0.14-alpha) (pib:13)

Noted in 5.6.0 changelog.

Already fixed in 6.0.x.

Pushed into 5.5.3-m3 (revid:alik@sun.com-20100306103849-hha31z2enhh7jwt3) (version source revid:wlad@sol-20091204200504-9d3d3b6ad75ijkqo) (merge vers: 5.6.0-beta) (pib:16)

Moved 5.6.0 changelog entry to 5.5.3.