Bug #44787 Backup: Check privileges before executing BACKUP/RESTORE
Submitted: 11 May 2009 12:52 Modified: 21 Apr 2010 17:32
Reporter: Jørgen Løland Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Backup Severity:S3 (Non-critical)
Version:6.0-backup OS:Any
Assigned to: Chuck Bell CPU Architecture:Any
Triage: Triaged: D1 (Critical)

[11 May 2009 12:52] Jørgen Løland
Description:
BACKUP/RESTORE handle privilege checks implicitly because the commands call server functions that perform these checks.

Regarding privileges, there are two problems with the current BACKUP/RESTORE implementation:

1) Only function calls to the server (through si_object) are checked for privileges (table creation and similar meta-data creation) while calls that go to backup drivers are not checked (e.g., INSERT).  
2) Privileges are not checked before starting to perform BACKUP/RESTORE, but rather when the various parts in the backup image are processed. For RESTORE, a missing privilege (except missing DROP DATABASE) will therefore drop the existing database and create a new empty one before failing.

How to repeat:
Create a user without CREATE VIEW privilege
Create a database with a view
Insert some data
Backup the database
Switch to user with limited privileges
RESTORE ... OVERWRITE
-> Fails, leaving a database with empty tables and (of course) no view.

Suggested fix:
Make BACKUP/RESTORE check privileges before starting to do the actual work. This way, the commands can fail with 'access denied' before doing anything harmful.
[26 May 2009 5:52] Jørgen Løland
Related to WL#4090.
[5 Jun 2009 15:37] Chuck Bell
This bug has been made obsolete by BUG#39580. The work done in that worklog makes this bug obsolete. It was made a duplicate so that it can be tracked along with BUG#39580.
[24 Jun 2009 19:52] Chuck Bell
Now that the decision to not do elevated privileges in BUG#39580, this is no longer a duplicate issue. Indeed, it is still very much an issue with the current decision.
[1 Jul 2009 19:13] Chuck Bell
<from Rafal's review of BUG#39580 patch>

SUGGESTONS
----------
2. Test additional scenarios where an explicit list of databases (more than 1) is given to BACKUP command and where RESTORE restores more than one database. User has privileges for some of the databases but not for others.
[27 Jul 2009 14:44] Chuck Bell
This bug will have to wait until it can be decided if the privilege elevation mechanism can be made safe from the identified security vulnerability in the backup image (e.g., modifying the backup image file manually to insert malicious SQL statements).

If the privilege elevation mechanism is implemented, the solution for this bug will be trivial.

If the privilege elevation mechanism is *not* implemented, the solution for this bug will require extensive research to determine the precise minimal privileges needed to perform a backup and restore. 

Note: Research to date implies the minimal set of privileges may be context sensitive. For example, granting a certain database level privilege permits the user to 'see' all of the tables with SHOW TABLES but may not be sufficient to perform a backup that reads the metadata and data. Similarly, depending on the objects in the database, some privileges may not be required and therefore the solution may have to test for a different minimal set for each backup and restore.

Setting back to 'verified' until the question of privilege elevation is answered.
[30 Sep 2009 0:29] Chuck Bell
On 29 September, the backup team decided we would not do privilege elevation for restore and would instead do detailed privilege checking prior to executing the DROP statements for the database(s) in the backup image.

This bug therefore will implement detailed privilege checking on restore. This means each object will be tested for access by the user. If the user does not have sufficient privileges, the restore will halt and not destroy any data. Furthermore, whenever possible the error message displayed shall not disclose the name of any object that fails privilege checking.
[1 Oct 2009 1:24] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/85295

2875 Chuck Bell	2009-09-30
      BUG#44787 : 
      
      This patch implements a prototype for the detailed privilege checking on
      restore. 
      
      NOTICE: This is a prototype patch committed for the benefit of the backup team
      to evaluate the solution proposed. A formal patch will be issued later once
      all input is considered.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing detailed privilege checking on restore.
        
        NOTE: This is incomplete.
     @ sql/backup/kernel.cc
        Adds detailed privilege checking to the bcat_add_item() retore method.
     @ sql/share/errmsg-utf8.txt
        New error message.
     @ sql/share/errmsg.txt
        New error message.
[1 Oct 2009 1:35] Chuck Bell
Setting back to in-progress because patch is only a prototype and should not be reviewed as complete.
[2 Oct 2009 21:19] Chuck Bell
The patch for this work shall include a new test file containing test cases for testing restore security tasks.
[30 Oct 2009 15:55] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88775

2887 Chuck Bell	2009-10-30
      BUG#44787 : 
      
      Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects.
      
      This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error.
      
      Note: This is patch 1 of 3. Patch 2 implements elevation,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/t/backup_restore_security-master.opt
        Option file to turn on binlog for SUPER check on stored
        procedures and functions.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ sql/backup/kernel.cc
        Added code to conduct privilege checking for all objects
        prior to executing restore. For tables, views, and triggers
        the check is object-level, for tablespace it is global-level,
        and for all other objects it is database-level.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
[30 Oct 2009 15:59] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88776

2887 Chuck Bell	2009-10-30
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects.
      
      This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error.
      
      Note: This is patch 1 of 3. Patch 2 implements elevation,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/t/backup_restore_security-master.opt
        Option file to turn on binlog for SUPER check on stored
        procedures and functions.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ sql/backup/kernel.cc
        Added code to conduct privilege checking for all objects
        prior to executing restore. For tables, views, and triggers
        the check is object-level, for tablespace it is global-level,
        and for all other objects it is database-level.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
[30 Oct 2009 16:10] Chuck Bell
After much discussion, we are now moving on this plan:

1) Backup elevation shall be changed to use the same mechanism as replication and shall require only the BACKUP privilege at the database-level for all databases in the backup.

2) Restore elevation shall be implemented to use the same mechanism as replication and shall require RESTORE + SUPER at the database-level for all databases in the backup image.

3) If the user does not have RESTORE + SUPER for any database in the backup image, the restore shall default to performing a pre-check of the privileges for all objects in the backup image. 

4) The user shall have the option to skip the precheck by setting --skip-restore-precheck to 1 (default is 0).

5) The user shall have the option to turn off backup elevation by setting --skip-backup-elevation to 0 (default is 1).
[2 Nov 2009 18:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88985

2888 Chuck Bell	2009-11-02
      BUG#44787 : 
      
      The backup system must be changed to meet the Server PT decision
      to elevate backup if BACKUP and restore if RESTORE + SUPER.
      
      This patch implements the privilege elevation change for backup
      as well as privilege elevation for restore iff the user has both
      RESTORE and SUPER on all databases in the image. The restore
      will fall back to object-level privilege checking if this condition
      is not met.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        Added new test cases.
        Corrected error return codes.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected error return codes.
     @ sql/backup/backup_info.cc
        Added privilege elevation for backup using security context
        method (similar to replication).
     @ sql/backup/kernel.cc
        Added privilege elevation code for elevating iff the user
        has RESTORE + SUPER.
        Added object-level privilege checking for normal access.
     @ sql/backup/restore_info.h
        Added attributes for privilege checking.
        Moved privilege checking to new method.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added methods to save the access levels for turning off 
        elevation and preserving user context.
     @ sql/sql_class.h
        Added methods to preserve privilege access.
[2 Nov 2009 18:33] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88986

2888 Chuck Bell	2009-11-02
      BUG#44787 : 
      
      The backup system must be changed to meet the Server PT decision
      to elevate backup if BACKUP and restore if RESTORE + SUPER.
      
      This patch implements the privilege elevation change for backup
      as well as privilege elevation for restore iff the user has both
      RESTORE and SUPER on all databases in the image. The restore
      will fall back to object-level privilege checking if this condition
      is not met.
      
      Note: This is patch 2 of 3. Patch 1 implements privilege checking,
            patch 3 implements the options to skip precheck and turn
            elevation off.s
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        Added new test cases.
        Corrected error return codes.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected error return codes.
     @ sql/backup/backup_info.cc
        Added privilege elevation for backup using security context
        method (similar to replication).
     @ sql/backup/kernel.cc
        Added privilege elevation code for elevating iff the user
        has RESTORE + SUPER.
        Added object-level privilege checking for normal access.
     @ sql/backup/restore_info.h
        Added attributes for privilege checking.
        Moved privilege checking to new method.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added methods to save the access levels for turning off 
        elevation and preserving user context.
     @ sql/sql_class.h
        Added methods to preserve privilege access.
[2 Nov 2009 19:05] Ingo Strüwing
Approved pending changes. See email. (Sorry for the late update of this bug report.)
[2 Nov 2009 21:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89009

2888 Chuck Bell	2009-11-02
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      The backup system must be changed to meet the Server PT decision
      to elevate backup if BACKUP and restore if RESTORE + SUPER.
      
      This patch implements the privilege elevation change for backup
      as well as privilege elevation for restore iff the user has both
      RESTORE and SUPER on all databases in the image. The restore
      will fall back to object-level privilege checking if this condition
      is not met.
      
      Note: This is patch 2 of 3. Patch 1 implements privilege checking,
            patch 3 implements the options to skip precheck and turn
            elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        Added new test cases.
        Corrected error return codes.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected error return codes.
     @ sql/backup/backup_info.cc
        Added privilege elevation for backup using security context
        method (similar to replication).
     @ sql/backup/kernel.cc
        Added privilege elevation code for elevating iff the user
        has RESTORE + SUPER.
        Added object-level privilege checking for normal access.
     @ sql/backup/restore_info.h
        Added attributes for privilege checking.
        Moved privilege checking to new method.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added methods to save the access levels for turning off 
        elevation and preserving user context.
     @ sql/sql_class.h
        Added methods to preserve privilege access.
[2 Nov 2009 22:28] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89011

2889 Chuck Bell	2009-11-02
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      The backup system must be changed to meet the Server PT decision
      to turn off backup elevation, restore elevation, and restore
      prechecking by startup options and variables.
      
      This patch implements startup options and variables to do the 
      following:
      
      backup-elevation/backup_elevation   ON  = turn on backup elevation
                                          OFF = turn off backup elevation
                                          Note: Default is ON
      
      restore-elevation/restore_elevation ON  = turn on restore elevation
                                          OFF = turn off restore elevation
                                          Note: Default is ON
      
      restore-precheck/restore_precheck   ON  = turn on restore precheck
                                          OFF = turn off restore precheck
                                          Note: Default is ON
      
      Note: This is patch 3 of 3. Patch 1 implements privilege checking,
            patch 2 implements privilege elevation.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security_options.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security_var.result
        New result file.
     @ mysql-test/suite/backup/t/backup_security_options-master.opt
        Option file to disable all options.
     @ mysql-test/suite/backup/t/backup_security_options.test
        New test for testing startup options.
     @ mysql-test/suite/backup/t/backup_security_var.test
        New test for testing new variables.
     @ sql/backup/backup_info.cc
        Added code to turn elevation on or off depending on option set.
     @ sql/backup/kernel.cc
        Added gates to skip privilege elevation for restore.
        Rearranged code to catch all combination of options.
     @ sql/mysqld.cc
        Added startup options.
     @ sql/set_var.cc
        Added variable classes.
     @ sql/sql_class.h
        Added variable declarations.
[2 Nov 2009 22:40] Chuck Bell
The design suggestion for the options and variables have changed the plan a bit. In order to take advantage of the features for setting binary values, the startup options are now:

backup-elevation (default ON)  - turns on backup elevation
restore-elevation (default ON) - turns on restore elevation
restore-precheck (default ON)  - turns on restore prechecking

The equivalent variable names use _ instead of - (e.g. backup_elevation).

Note: The backup-elevation was added to compliment the restore-elevation mechanism making a more complete feature set.

To set the startup options, one can prepend 'enable' or 'disable' like this:

./mysqld .... --enable-backup-elevation --disable-restore-elevation.

Or use the @@global to set the variable like normal.
[3 Nov 2009 23:04] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89233

2887 Chuck Bell	2009-11-03
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects.
      
      This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error.
      
      Note: This is patch 1 of 3. Patch 2 implements elevation,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected resut file.
     @ mysql-test/suite/backup/t/backup_restore_security-master.opt
        Option file to turn on binlog for SUPER check on stored
        procedures and functions.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ sql/backup/kernel.cc
        Added code to conduct privilege checking for all objects
        prior to executing restore. For tables, views, and triggers
        the check is object-level, for tablespace it is global-level,
        and for all other objects it is database-level.
     @ sql/backup/restore_info.h
        Moved RESTORE_ACL check to new method in kernel.cc so that
        it occurs prior to prechecking object-level privileges.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
[4 Nov 2009 16:00] Ingo Strüwing
Approved patch 2 of 3 pending changes. Please see email.
[4 Nov 2009 19:35] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89359

2888 Chuck Bell	2009-11-04
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects.
      
      This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error.
      
      Note: This is patch 1 of 3. Patch 2 implements elevation,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected resut file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ sql/backup/kernel.cc
        Added call to do object-level privilege checking.
     @ sql/backup/restore_info.h
        Added code to conduct privilege checking for all objects
        prior to executing restore. For tables, views, and triggers
        the check is object-level, for tablespace it is global-level,
        and for all other objects it is database-level.
        
        Moved RESTORE_ACL check to new method in kernel.cc so that
        it occurs prior to prechecking object-level privileges.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
[4 Nov 2009 20:44] Chuck Bell
Privileges in the MySQL Backup feature have been changed to use the BACKUP_ACL and RESTORE + SUPER_ACL to perform elevated backup and restore.

Backup
------
If the user has BACKUP_ACL on all of the databases she lists on the backup database command, the code will elevate privileges during the execution of the backup. This will permit users to backup databases that contain objects they may not have complete access.

Restore
-------
If the user has RESTORE_ACL for all of the databases in the backup image and has the SUPER_ACL global permission, restore shall execute with elevated privileges.

If the user does not have the SUPER_ACL but does have RESTORE_ACL on all databases in the backup image, a prechecking step shall be performed prior to executing the restore whereby access for all objects is checked. If any access check fails, restore halts with an error. 

Note: The prechecking step is skipped for elevated restore.

Note: If the user has SUEPR_ACL but does not have RESTORE_ACL for all of the databases, the prechecking step shall be performed for all objects.

Options
-------

backup-elevation (default ON)  - turns on backup elevation
restore-elevation (default ON) - turns on restore elevation
restore-precheck (default ON)  - turns on restore prechecking

The equivalent variable names use _ instead of - (e.g. backup_elevation).

Note: The backup-elevation was added to compliment the restore-elevation mechanism making
a more complete feature set.

To set the startup options, one can prepend 'enable' or 'disable' like this:

./mysqld .... --enable-backup-elevation --disable-restore-elevation.

Or use the @@global to set the variable like normal.
[4 Nov 2009 20:56] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89360

2888 Chuck Bell	2009-11-04 [merge]
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      The backup system must be changed to meet a decision to allow
      elevation of privileges for backup if the user has only the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL and SUPER_ACL privileges.
      
      This patch implements the privilege elevation change for backup
      as well as privilege elevation for restore iff the user has both
      RESTORE and SUPER on all databases in the image. The restore
      will fall back to object-level privilege checking if this condition
      is not met.
      
      Note: This is patch 2 of 3. Patch 1 implements privilege checking,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        Added new test cases.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected error return codes.
     @ sql/backup/backup_info.cc
        Added privilege elevation for backup using security context
        method (similar to replication).
     @ sql/backup/kernel.cc
        Added privilege elevation code for elevating iff the user
        has RESTORE + SUPER.
     @ sql/backup/restore_info.h
        Added attributes for privilege checking.
        Moved privilege checking to new method.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code
     @ sql/sql_class.cc
        Added methods to set, save, restore the access levels for turning off 
        elevation and preserving user context.
     @ sql/sql_class.h
        Added methods to set, save, and restore privilege access.
[4 Nov 2009 21:52] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89372

2889 Chuck Bell	2009-11-04
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      The backup system must be changed to meet a decision to allow
      elevation of privileges for backup if the user has only the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL and SUPER_ACL privileges.
      
      This patch implements the privilege elevation change for backup
      as well as privilege elevation for restore iff the user has both
      RESTORE and SUPER on all databases in the image. The restore
      will fall back to object-level privilege checking if this condition
      is not met.
      
      Note: This is patch 2 of 3. Patch 1 implements privilege checking,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        Added new test cases.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected error return codes.
     @ sql/backup/backup_info.cc
        Added privilege elevation for backup using security context
        method (similar to replication).
     @ sql/backup/kernel.cc
        Added methods to save and restore privileges prior to and
        after elevation.
     @ sql/backup/restore_info.h
        Added attributes for privilege checking.
        Added code to do restore elevation in the check_restore_privileges()
        method.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added methods to set, save, restore the access levels for turning off 
        elevation and preserving user context.
     @ sql/sql_class.h
        Added methods to set, save, and restore privilege access.
[4 Nov 2009 22:25] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89373

2890 Chuck Bell	2009-11-04
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      The backup system must be changed to meet the Server PT decision
      to turn off backup elevation, restore elevation, and restore
      prechecking by startup options and variables.
      
      This patch implements startup options and variables to do the 
      following:
      
      backup-elevation/backup_elevation   
            ON  = turn on backup elevation
            OFF = turn off backup elevation
            Note: Default is ON
      
      restore-elevation/restore_elevation 
            ON  = turn on restore elevation
            OFF = turn off restore elevation
            Note: Default is ON
      
      restore-precheck/restore_precheck   
            ON  = turn on restore precheck
            OFF = turn off restore precheck
            Note: Default is ON
      
      Note: This is patch 3 of 3. Patch 1 implements privilege checking,
      patch 2 implements privilege elevation.
     @ mysql-test/suite/backup/r/backup_security_options.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security_var.result
        New result file.
     @ mysql-test/suite/backup/t/backup_security_options-master.opt
        Option file to disable all options.
     @ mysql-test/suite/backup/t/backup_security_options.test
        New test for testing startup options.
     @ mysql-test/suite/backup/t/backup_security_var.test
        New test for testing new variables.
     @ sql/backup/backup_info.cc
        Added code to turn elevation on or off depending on option set.
     @ sql/backup/restore_info.h
        Added gates to skip privilege elevation for restore.
        Rearranged code to catch all combination of options.
     @ sql/mysqld.cc
        Added startup options.
     @ sql/set_var.cc
        Added variable classes.
     @ sql/sql_class.h
        Added variable declarations.
[5 Nov 2009 18:08] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89511

2888 Chuck Bell	2009-11-05
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects.
      
      This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error.
      
      Note: This is patch 1 of 3. Patch 2 implements elevation,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected resut file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ sql/backup/kernel.cc
        Added call to do object-level privilege checking.
     @ sql/backup/restore_info.h
        Added code to conduct privilege checking for all objects
        prior to executing restore. For tables, views, and triggers
        the check is object-level, for tablespace it is global-level,
        and for all other objects it is database-level.
        
        Moved RESTORE_ACL check to new method in kernel.cc so that
        it occurs prior to prechecking object-level privileges.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
[5 Nov 2009 18:10] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89514

2888 Chuck Bell	2009-11-05
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects.
      
      This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error.
      
      The object-level privileges checked include the following.
        
        RESTORE,CREATE,DROP on db
        CREATE              on db.x (if table or view x)
        CREATE_TABLESPACE   on *.*  (if tablespace)
        SUPER               on *.*  (if view, stored routine, event or trigger)
        CREATE_PROC         on db.* (if stored routine)
        EVENT               on db.* (if event)
        GRANT               on db.* (if privilege)
        TRIGGER             on db.* (if trigger but table not found)
        TRIGGER             on db.t (if trigger on t)
      
      Note: This is patch 1 of 3. Patch 2 implements elevation,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected resut file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ sql/backup/kernel.cc
        Added call to do object-level privilege checking.
     @ sql/backup/restore_info.h
        Added code to conduct privilege checking for all objects
        prior to executing restore. For tables, views, and triggers
        the check is object-level, for tablespace it is global-level,
        and for all other objects it is database-level.
        
        Moved RESTORE_ACL check to new method in kernel.cc so that
        it occurs prior to prechecking object-level privileges.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
[5 Nov 2009 19:06] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89515

2889 Chuck Bell	2009-11-05
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      The backup system must be changed to meet a decision to allow
      elevation of privileges for backup if the user has only the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL and SUPER_ACL privileges.
      
      This patch implements the privilege elevation change for backup
      as well as privilege elevation for restore iff the user has both
      RESTORE and SUPER on all databases in the image. The restore
      will fall back to object-level privilege checking if this condition
      is not met.
      
      Note: This is patch 2 of 3. Patch 1 implements privilege checking,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        Added new test cases.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected error return codes.
     @ sql/backup/backup_info.cc
        Added privilege elevation for backup using security context
        method (similar to replication).
     @ sql/backup/kernel.cc
        Added methods to save and restore privileges prior to and
        after elevation.
     @ sql/backup/restore_info.h
        Added attributes for privilege checking.
        Added code to do restore elevation in the check_restore_privileges()
        method.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added methods to set, save, restore the access levels for turning off 
        elevation and preserving user context.
     @ sql/sql_class.h
        Added methods to set, save, and restore privilege access.
[5 Nov 2009 19:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89518

2890 Chuck Bell	2009-11-05
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      The backup system must be changed to meet the Server PT decision
      to turn off backup elevation, restore elevation, and restore
      prechecking by startup options and variables.
      
      This patch implements startup options and variables to do the 
      following:
      
      backup-elevation/backup_elevation   
        ON  = turn on backup elevation
        OFF = turn off backup elevation
        Note: Default is ON
      
      restore-elevation/restore_elevation 
        ON  = turn on restore elevation
        OFF = turn off restore elevation
        Note: Default is ON
      
      restore-precheck/restore_precheck   
        ON  = turn on restore precheck
        OFF = turn off restore precheck
        Note: Default is ON
      
      Note: This is patch 3 of 3. Patch 1 implements privilege checking,
      patch 2 implements privilege elevation.
     @ mysql-test/suite/backup/r/backup_security_options.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security_var.result
        New result file.
     @ mysql-test/suite/backup/t/backup_security_options-master.opt
        Option file to disable all options.
     @ mysql-test/suite/backup/t/backup_security_options.test
        New test for testing startup options.
     @ mysql-test/suite/backup/t/backup_security_var.test
        New test for testing new variables.
     @ sql/backup/backup_info.cc
        Added code to turn elevation on or off depending on option set.
     @ sql/backup/restore_info.h
        Added gates to skip privilege elevation for restore.
        Rearranged code to catch all combination of options.
     @ sql/mysqld.cc
        Added startup options.
     @ sql/set_var.cc
        Added variable classes.
     @ sql/sql_class.h
        Added variable declarations.
[6 Nov 2009 13:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89594

2890 Chuck Bell	2009-11-06
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      The backup system must be changed to allow users to adjust the
      privilege behavior of MySQL Backup by allowing then 
      to turn off backup elevation, restore elevation, and restore
      prechecking using startup options and/or variables.
      
      This patch implements startup options and variables to do the 
      following:
      
      backup_elevation   
        ON  = turn on backup elevation
        OFF = turn off backup elevation
        Note: Default is ON
      
      restore_elevation 
        ON  = turn on restore elevation
        OFF = turn off restore elevation
        Note: Default is ON
      
      restore_precheck   
        ON  = turn on restore precheck
        OFF = turn off restore precheck
        Note: Default is ON
      
      Note: This is patch 3 of 3. Patch 1 implements privilege checking,
      patch 2 implements privilege elevation.
     @ mysql-test/suite/backup/r/backup_security_options.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security_var.result
        New result file.
     @ mysql-test/suite/backup/t/backup_security_options-master.opt
        Option file to disable all options.
     @ mysql-test/suite/backup/t/backup_security_options.test
        New test for testing startup options.
     @ mysql-test/suite/backup/t/backup_security_var.test
        New test for testing new variables.
     @ sql/backup/backup_info.cc
        Added code to turn elevation on or off depending on option set.
     @ sql/backup/restore_info.h
        Added gates to skip privilege elevation for restore.
        Rearranged code to catch all combination of options.
     @ sql/mysqld.cc
        Added startup options.
     @ sql/set_var.cc
        Added variable classes.
     @ sql/sql_class.h
        Added variable declarations.
[6 Nov 2009 14:48] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89608

2888 Chuck Bell	2009-11-06
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects.
      
      This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error.
      
      The object-level privileges checked include the following.
        
        RESTORE,CREATE,DROP on db.*
        CREATE              on db.x (if table or view x)
        CREATE_TABLESPACE   on *.*  (if tablespace)
        SUPER               on *.*  (if view, stored routine, event or trigger)
        CREATE_PROC         on db.* (if stored routine)
        EVENT               on db.* (if event)
        GRANT               on db.* (if privilege)
        TRIGGER             on db.* (if trigger but table not found)
        TRIGGER             on db.t (if trigger on t)
      
      Note: This is patch 1 of 3. Patch 2 implements elevation,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/include/error_name_to_number.inc
        Added new error code for debug insertion testing.
     @ mysql-test/suite/backup/r/backup_errors_debug_3.result
        Corrected resut file.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected resut file.
     @ mysql-test/suite/backup/t/backup_errors_debug_3.test
        Added test case for when db is not found in catalog.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ sql/backup/kernel.cc
        Added call to do object-level privilege checking.
     @ sql/backup/restore_info.h
        Added code to conduct privilege checking for all objects
        prior to executing restore. For tables, views, and triggers
        the check is object-level, for tablespace it is global-level,
        and for all other objects it is database-level.
        
        Moved RESTORE_ACL check to new method in kernel.cc so that
        it occurs prior to prechecking object-level privileges.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
[11 Nov 2009 16:51] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/90121

2888 Chuck Bell	2009-11-11
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects.
      
      This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error.
      
      The object-level privileges checked include the following.
        
        RESTORE,CREATE,DROP on db.*
        CREATE              on db.x (if table or view x)
        CREATE_TABLESPACE   on *.*  (if tablespace)
        SUPER               on *.*  (if view, stored routine, event or trigger)
        CREATE_PROC         on db.* (if stored routine)
        EVENT               on db.* (if event)
        GRANT               on db.* (if privilege)
        TRIGGER             on db.* (if trigger but table not found)
        TRIGGER             on db.t (if trigger on t)
      
      Note: This is patch 1 of 3. Patch 2 implements elevation,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/include/error_name_to_number.inc
        Added new error code for debug insertion testing.
     @ mysql-test/suite/backup/r/backup_errors_debug_3.result
        Corrected resut file.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected resut file.
     @ mysql-test/suite/backup/t/backup_errors_debug_3.test
        Added test case for when db is not found in catalog.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ sql/backup/kernel.cc
        Added call to do object-level privilege checking.
     @ sql/backup/restore_info.h
        Added code to conduct privilege checking for all objects
        prior to executing restore. For tables, views, and triggers
        the check is object-level, for tablespace it is global-level,
        and for all other objects it is database-level.
        
        Moved RESTORE_ACL check to new method in kernel.cc so that
        it occurs prior to prechecking object-level privileges.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
[11 Nov 2009 21:29] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/90167

2889 Chuck Bell	2009-11-11
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      The backup system must be changed to meet a decision to allow
      elevation of privileges for backup if the user has only the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL and SUPER_ACL privileges.
      
      This patch implements the privilege elevation change for backup
      as well as privilege elevation for restore iff the user has both
      RESTORE and SUPER on all databases in the image. The restore
      will fall back to object-level privilege checking if this condition
      is not met.
      
      Note: This is patch 2 of 3. Patch 1 implements privilege checking,
      patch 3 implements the options to skip precheck and turn
      elevation off.
     @ mysql-test/suite/backup/r/backup_errors_debug_3.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/t/backup_errors_debug_3.test
        Must turn off this test case until we can turn off elevation
        because the debug insertion code is in the prechecking code.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        Added new test cases.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected error return codes.
     @ sql/backup/backup_info.cc
        Added privilege elevation for backup using security context
        method (similar to replication).
     @ sql/backup/kernel.cc
        Added methods to save and restore privileges prior to and
        after elevation.
        
        Added code to call the new check_restore_elevation() method.
        
        Added check to ensure elevation is OFF before doing prechecking.
     @ sql/backup/restore_info.h
        Added attributes for privilege checking.
        Added code to do restore elevation in the check_restore_elevation()
        method.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added methods to set, save, restore the access levels for turning off 
        elevation and preserving user context.
     @ sql/sql_class.h
        Added methods to set, save, and restore privilege access.
[13 Nov 2009 18:20] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/90387

2889 Chuck Bell	2009-11-13
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      There are three problems that have been identified for this bug.
      
      1) Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects. This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error. The object-level 
      privileges checked include the following.
        
        RESTORE,CREATE,DROP on db.*
        CREATE              on db.x (if table or view x)
        CREATE_TABLESPACE   on *.*  (if tablespace)
        SUPER               on *.*  (if view, stored routine, event or trigger)
        CREATE_PROC         on db.* (if stored routine)
        EVENT               on db.* (if event)
        GRANT               on db.* (if privilege)
        TRIGGER             on db.* (if trigger but table not found)
        TRIGGER             on db.t (if trigger on t)
      
      2) The backup system must be changed to permit the
      elevation of privileges for backup if the user has the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL on all databases and the
      global SUPER_ACL privilege. This patch implements the privilege 
      elevation change for backup as well as privilege elevation for 
      restore. The restore will fall back to object-level privilege 
      checking if the conditions for restore are not met.
      
      3) The backup system must be changed to allow users to adjust the
      privilege behavior of MySQL Backup by allowing them 
      to turn off backup elevation, restore elevation, and restore
      prechecking using startup options and/or variables. This patch 
      implements startup options and variables to do the following:
      
      backup_elevation   
        ON  = turn on backup elevation
        OFF = turn off backup elevation
        Note: Default is ON
      
      restore_elevation 
        ON  = turn on restore elevation
        OFF = turn off restore elevation  
        Note: Default is ON
      
      restore_precheck   
        ON  = turn on restore precheck
        OFF = turn off restore precheck
        Note: Default is ON
     @ mysql-test/suite/backup/include/error_name_to_number.inc
        Added new error code for debug testing.
     @ mysql-test/suite/backup/r/backup_errors_debug_3.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security_options.result
        New test for testing startup options.
     @ mysql-test/suite/backup/r/backup_security_var.result
        New result file.
     @ mysql-test/suite/backup/t/backup_errors_debug_3.test
        Added new test cases for debug error testing of new errors.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ mysql-test/suite/backup/t/backup_security_options-master.opt
        Option file to disable all options.
     @ mysql-test/suite/backup/t/backup_security_options.test
        New test for testing startup options.
     @ mysql-test/suite/backup/t/backup_security_var.test
        New test for testing new variables.
     @ sql/backup/CMakeLists.txt
        Added new source file.
     @ sql/backup/Makefile.am
        Added new source file.
     @ sql/backup/backup_info.cc
        Added code for backup elevation.
     @ sql/backup/backup_kernel.h
        Added parameter for checking elevation.
     @ sql/backup/kernel.cc
        Added calls to save original privileges and elevate
        privileges if conditions are met.
        
        Included checks for options and variables to turn off
        prechecking, backup elevation, and restore elevation.
     @ sql/backup/restore_info.h
        Added parameter for controlling prechecking.
        Moved privilege checking to new prechecking method.
     @ sql/mysqld.cc
        Added startup options.
     @ sql/set_var.cc
        Added variable classes.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added variable classes.
     @ sql/sql_class.h
        Added variable declarations.
     @ sql/sql_parse.cc
        Added parameter for skipping prechecking.
[16 Nov 2009 14:12] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/90510

2889 Chuck Bell	2009-11-16
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      There are three problems that have been identified for this bug.
      
      1) Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects. This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error. The object-level 
      privileges checked include the following.
        
        RESTORE,CREATE,DROP on db.*
        CREATE              on db.x (if table or view x)
        CREATE_TABLESPACE   on *.*  (if tablespace)
        SUPER               on *.*  (if view, stored routine, event or trigger)
        CREATE_PROC         on db.* (if stored routine)
        EVENT               on db.* (if event)
        GRANT               on db.* (if privilege)
        TRIGGER             on db.* (if trigger but table not found)
        TRIGGER             on db.t (if trigger on t)
      
      2) The backup system must be changed to permit the
      elevation of privileges for backup if the user has the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL on all databases and the
      global SUPER_ACL privilege. This patch implements the privilege 
      elevation change for backup as well as privilege elevation for 
      restore. The restore will fall back to object-level privilege 
      checking if the conditions for restore are not met.
      
      3) The backup system must be changed to allow users to adjust the
      privilege behavior of MySQL Backup by allowing them 
      to turn off backup elevation, restore elevation, and restore
      prechecking using startup options and/or variables. This patch 
      implements startup options and variables to do the following:
      
      backup_elevation   
        ON  = turn on backup elevation
        OFF = turn off backup elevation
        Note: Default is ON
      
      restore_elevation 
        ON  = turn on restore elevation
        OFF = turn off restore elevation  
        Note: Default is ON
      
      restore_precheck   
        ON  = turn on restore precheck
        OFF = turn off restore precheck
        Note: Default is ON
     @ mysql-test/suite/backup/include/error_name_to_number.inc
        Added new error code for debug testing.
     @ mysql-test/suite/backup/r/backup_errors_debug_3.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security_options.result
        New test for testing startup options.
     @ mysql-test/suite/backup/r/backup_security_var.result
        New result file.
     @ mysql-test/suite/backup/t/backup_errors_debug_3.test
        Added new test cases for debug error testing of new errors.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ mysql-test/suite/backup/t/backup_security_options-master.opt
        Option file to disable all options.
     @ mysql-test/suite/backup/t/backup_security_options.test
        New test for testing startup options.
     @ mysql-test/suite/backup/t/backup_security_var.test
        New test for testing new variables.
     @ sql/backup/CMakeLists.txt
        Added new source file.
     @ sql/backup/Makefile.am
        Added new source file.
     @ sql/backup/backup_info.cc
        Added code for backup elevation.
     @ sql/backup/backup_kernel.h
        Added parameter for checking elevation.
     @ sql/backup/kernel.cc
        Added calls to save original privileges and elevate
        privileges if conditions are met.
        
        Included checks for options and variables to turn off
        prechecking, backup elevation, and restore elevation.
     @ sql/backup/restore_info.cc
        New code file.
     @ sql/backup/restore_info.h
        Added parameter for controlling prechecking.
        Moved privilege checking to new prechecking method.
     @ sql/mysqld.cc
        Added startup options.
     @ sql/set_var.cc
        Added variable classes.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added variable classes.
     @ sql/sql_class.h
        Added variable declarations.
     @ sql/sql_parse.cc
        Added parameter for skipping prechecking.
[16 Nov 2009 21:37] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/90578

2891 Chuck Bell	2009-11-16 [merge]
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      
      There are three problems that have been identified for this bug.
      
      1) Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects. This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error. The object-level 
      privileges checked include the following.
      
        RESTORE,CREATE,DROP on db.*
        CREATE              on db.x (if table or view x)
        CREATE_TABLESPACE   on *.*  (if tablespace)
        SUPER               on *.*  (if view, stored routine, 
                                     event or trigger)
        CREATE_PROC         on db.* (if stored routine)
        EVENT               on db.* (if event)
        GRANT               on db.* (if privilege)
        TRIGGER             on db.* (if trigger but table not found)
        TRIGGER             on db.t (if trigger on t)
      
      2) The backup system must be changed to permit the
      elevation of privileges for backup if the user has the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL on all databases and the
      global SUPER_ACL privilege. This patch implements the privilege 
      elevation change for backup as well as privilege elevation for 
      restore. The restore will fall back to object-level privilege 
      checking if the conditions for restore are not met.
      
      3) The backup system must be changed to allow users to adjust the
      privilege behavior of MySQL Backup by allowing them 
      to turn off backup elevation, restore elevation, and restore
      prechecking using startup options and/or variables. This patch 
      implements startup options and variables to do the following:
      
      backup_elevation   
        ON  = turn on backup elevation
        OFF = turn off backup elevation
        Note: Default is ON
      
      restore_elevation 
        ON  = turn on restore elevation
        OFF = turn off restore elevation  
        Note: Default is ON
      
      restore_precheck   
        ON  = turn on restore precheck
        OFF = turn off restore precheck
        Note: Default is ON
     @ mysql-test/suite/backup/include/error_name_to_number.inc
        Added new error code for debug testing.
     @ mysql-test/suite/backup/r/backup_errors_debug_3.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security_options.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security_var.result
        New result file.
     @ mysql-test/suite/backup/t/backup_errors_debug_3.test
        Added new test cases for debug error testing of new errors.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ mysql-test/suite/backup/t/backup_security_options-master.opt
        Option file to disable all options.
     @ mysql-test/suite/backup/t/backup_security_options.test
        New test for testing startup options.
     @ mysql-test/suite/backup/t/backup_security_var.test
        New test for testing new variables.
     @ sql/backup/CMakeLists.txt
        Added new source file.
     @ sql/backup/Makefile.am
        Added new source file.
     @ sql/backup/backup_info.cc
        Added code for backup elevation.
     @ sql/backup/kernel.cc
        Added calls to save original privileges and elevate
        privileges if conditions are met.
     @ sql/backup/restore_info.cc
        New code file.
        Implements prechecking method.
     @ sql/backup/restore_info.h
        Added attribute to determine if it is safe to elevate restore.
        Moved privilege checking to new prechecking method.
     @ sql/mysqld.cc
        Added startup options.
     @ sql/set_var.cc
        Added variable classes.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added variable classes.
     @ sql/sql_class.h
        Added variable declarations.
[17 Nov 2009 11:50] Rafal Somla
Approved pending minor fixes of the patch.
[20 Nov 2009 21:20] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/91170

2891 Chuck Bell	2009-11-20 [merge]
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      WL#5172 : MySQL Backup elevation options
      
      There are three problems that have been identified for this bug.
      
      1) Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects. This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error. The object-level 
      privileges checked include the following.
      
        RESTORE,CREATE,DROP on db.*
        CREATE              on db.x (if table or view x)
        CREATE_TABLESPACE   on *.*  (if tablespace)
        SUPER               on *.*  (if view, stored routine, 
                                     event or trigger)
        CREATE_PROC         on db.* (if stored routine)
        EVENT               on db.* (if event)
        GRANT               on db.* (if privilege)
        TRIGGER             on db.* (if trigger but table not found)
        TRIGGER             on db.t (if trigger on t)
      
      2) The backup system must be changed to permit the
      elevation of privileges for backup if the user has the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL on all databases and the
      global SUPER_ACL privilege. This patch implements the privilege 
      elevation change for backup as well as privilege elevation for 
      restore. The restore will fall back to object-level privilege 
      checking if the conditions for restore are not met.
      
      3) The backup system must be changed to allow users to adjust the
      privilege behavior of MySQL Backup by allowing them 
      to turn off backup elevation, restore elevation, and restore
      prechecking using startup options and/or variables. This patch 
      implements startup options and global + session variables to do 
      the following:
      
      backup_elevation   
        ON  = turn on backup elevation
        OFF = turn off backup elevation
        Note: Default is ON
      
      restore_elevation 
        ON  = turn on restore elevation
        OFF = turn off restore elevation  
        Note: Default is ON
      
      restore_precheck   
        ON  = turn on restore precheck
        OFF = turn off restore precheck
        Note: Default is ON
     @ mysql-test/suite/backup/include/error_name_to_number.inc
        Added new error code for debug testing.
     @ mysql-test/suite/backup/r/backup_errors_debug_3.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security_options.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security_var.result
        New result file.
     @ mysql-test/suite/backup/t/backup_errors_debug_3.test
        Added new test cases for debug error testing of new errors.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ mysql-test/suite/backup/t/backup_security_options-master.opt
        Option file to disable all options.
     @ mysql-test/suite/backup/t/backup_security_options.test
        New test for testing startup options.
     @ mysql-test/suite/backup/t/backup_security_var.test
        New test for testing new variables.
     @ sql/backup/CMakeLists.txt
        Added new source file.
     @ sql/backup/Makefile.am
        Added new source file.
     @ sql/backup/backup_info.cc
        Added code for backup elevation.
     @ sql/backup/kernel.cc
        Added calls to save original privileges and elevate
        privileges if conditions are met.
     @ sql/backup/restore_info.cc
        New code file.
        Implements prechecking method.
     @ sql/backup/restore_info.h
        Added attribute to determine if it is safe to elevate restore.
        Moved privilege checking to new prechecking method.
     @ sql/mysqld.cc
        Added startup options.
     @ sql/set_var.cc
        Added variable classes.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added variable classes.
     @ sql/sql_class.h
        Added variable declarations.
[24 Nov 2009 18:51] Ingo Strüwing
Approved pending changes. Please see email. Expecting answers back.
[25 Nov 2009 22:24] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/91716

2891 Chuck Bell	2009-11-25 [merge]
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      WL#5172 : MySQL Backup elevation options
      
      There are three problems that have been identified for this bug.
      
      1) Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects. This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error. The object-level 
      privileges checked include the following.
      
        RESTORE,CREATE,DROP on db.*
        CREATE              on db.x (if table or view x)
        CREATE_TABLESPACE   on *.*  (if tablespace)
        SUPER               on *.*  (if view, stored routine, 
                                     event or trigger)
        CREATE_PROC         on db.* (if stored routine)
        EVENT               on db.* (if event)
        GRANT               on db.* (if privilege)
        TRIGGER             on db.* (if trigger but table not found)
        TRIGGER             on db.t (if trigger on t)
      
      2) The backup system must be changed to permit the
      elevation of privileges for backup if the user has the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL on all databases and the
      global SUPER_ACL privilege. This patch implements the privilege 
      elevation change for backup as well as privilege elevation for 
      restore. The restore will fall back to object-level privilege 
      checking if the conditions for restore are not met.
      
      3) The backup system must be changed to allow users to adjust the
      privilege behavior of MySQL Backup by allowing them 
      to turn off backup elevation, restore elevation, and restore
      prechecking using startup options. It shall also permit the user
      to turn restore prechecking on or off via a variable. This patch 
      implements the following:
      
      backup_elevation - startup option, global read only variable   
        ON  = turn on backup elevation
        OFF = turn off backup elevation
        Note: Default is ON
      
      restore_elevation - startup option, global read only variable   
        ON  = turn on restore elevation
        OFF = turn off restore elevation  
        Note: Default is ON
      
      restore_precheck - startup option, global and session variable  
        ON  = turn on restore precheck
        OFF = turn off restore precheck
        Note: Default is ON
     @ mysql-test/suite/backup/include/error_name_to_number.inc
        Added new error code for debug testing.
     @ mysql-test/suite/backup/r/backup_errors_debug_3.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_restore_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security.result
        Corrected result file.
     @ mysql-test/suite/backup/r/backup_security_options.result
        New result file.
     @ mysql-test/suite/backup/r/backup_security_var.result
        New result file.
     @ mysql-test/suite/backup/t/backup_errors_debug_3.test
        Added new test cases for debug error testing of new errors.
     @ mysql-test/suite/backup/t/backup_restore_security-master.opt
        Option file to disable backup and restore elevation options.
     @ mysql-test/suite/backup/t/backup_restore_security.test
        New test for testing restore security prechecks.
     @ mysql-test/suite/backup/t/backup_security.test
        Corrected errors now that restore prechecking is complete.
     @ mysql-test/suite/backup/t/backup_security_options-master.opt
        Option file to disable all options.
     @ mysql-test/suite/backup/t/backup_security_options.test
        New test for testing startup options.
     @ mysql-test/suite/backup/t/backup_security_var.test
        New test for testing new variables.
     @ sql/backup/CMakeLists.txt
        Added new source file.
     @ sql/backup/Makefile.am
        Added new source file.
     @ sql/backup/api_types.h
        Added external declarations for compilation.
     @ sql/backup/backup_info.cc
        Added code for backup elevation.
     @ sql/backup/kernel.cc
        Added calls to save original privileges and elevate
        privileges if conditions are met.
     @ sql/backup/restore_info.cc
        New code file.
        Implements prechecking method.
     @ sql/backup/restore_info.h
        Added attribute to determine if it is safe to elevate restore.
        Moved privilege checking to new prechecking method.
     @ sql/mysqld.cc
        Added startup options.
     @ sql/set_var.cc
        Added variable classes.
     @ sql/share/errmsg-utf8.txt
        New error messages.
     @ sql/share/errmsg.txt
        New error messages.
     @ sql/si_objects.cc
        Removed privilege elevation from si_objects code.
     @ sql/sql_class.cc
        Added variable classes.
     @ sql/sql_class.h
        Added variable declarations.
[30 Nov 2009 15:14] Ingo Strüwing
Approved. Though I wish, the coppyright would be claimed for 2009, not 2008.
[21 Dec 2009 19:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/95304

3022 Chuck Bell	2009-12-21
      BUG#44787 : Backup: Check privileges before executing BACKUP/RESTORE
      WL#5172 : MySQL Backup elevation options
      
      There are three problems that have been identified for this bug.
      
      1) Restore can fail in the middle if the user does not have 
      sufficient privileges to create and populate all of the
      objects. This patch implements a privilege precheck step to check
      all objects for proper access. If any object fails the
      privilege check, restore halts with an error. The object-level 
      privileges checked include the following.
      
      RESTORE,CREATE,DROP on db.*
      CREATE              on db.x (if table or view x)
      CREATE_TABLESPACE   on *.*  (if tablespace)
      SUPER               on *.*  (if view, stored routine, 
      				event or trigger)
      CREATE_PROC         on db.* (if stored routine)
      EVENT               on db.* (if event)
      GRANT               on db.* (if privilege)
      TRIGGER             on db.* (if trigger but table not found)
      TRIGGER             on db.t (if trigger on t)
      
      2) The backup system must be changed to permit the
      elevation of privileges for backup if the user has the 
      BACKUP_ACL privilege and elevation of privileges for restore 
      if the user has the RESTORE_ACL on all databases and the
      global SUPER_ACL privilege. This patch implements the privilege 
      elevation change for backup as well as privilege elevation for 
      restore. The restore will fall back to object-level privilege 
      checking if the conditions for restore are not met.
      
      3) The backup system must be changed to allow users to adjust the
      privilege behavior of MySQL Backup by allowing them 
      to turn off backup elevation, restore elevation, and restore
      prechecking using startup options. It shall also permit the user
      to turn restore prechecking on or off via a variable. This patch 
      implements the following:
      
      backup_elevation - startup option, global read only variable   
      ON  = turn on backup elevation
      OFF = turn off backup elevation
      Note: Default is ON
      
      restore_elevation - startup option, global read only variable   
      ON  = turn on restore elevation
      OFF = turn off restore elevation  
      Note: Default is ON
      
      restore_precheck - startup option, global and session variable  
      ON  = turn on restore precheck
      OFF = turn off restore precheck
      Note: Default is ON
      
      original changeset: 2899 (from mysql-6.0-backup)
     @ sql/backup/restore_info.cc
        New code file.
        Implements prechecking method.
[20 Feb 2010 9:18] Bugs System
Pushed into 6.0.14-alpha (revid:ingo.struewing@sun.com-20100218152520-s4v1ld76bif06eqn) (version source revid:ingo.struewing@sun.com-20100119103538-wtp5alpz4p2jayl5) (merge vers: 6.0.14-alpha) (pib:16)
[21 Apr 2010 17:32] Paul Dubois
Noted in 6.0.14 changelog.

The BACKUP DATABASE statement could fail even if the user had all
privileges for backed-up objects. The RESTORE statement could fail in
the middle if the user did not have sufficient privileges to access
all objects in the backup image. To deal with such problems, the
privileges required for backup and restore operations are established
to be as follows:

To deal with such problems, the privileges required for backup and
restore operations are established to be as follows: For BACKUP
DATABASE, the user must have the BACKUP privilege for each database
to back up. For RESTORE, the user must have the RESTORE privilege for
each database in the backup image. In addition, internal privilege
elevation is used to enable backup and restore to to succeed even if
the user does not otherwise have privileges to access the objects in
the image. Privilege elevation is controlled by three new system
variables: 

* backup_elevation: To use the BACKUP DATABASE statement, a user must
  have the BACKUP for each database to be included in the backup image.
  Assuming that this is true, the backup_elevation variable determines
  whether privilege elevation occurs internally. If this variable is
  enabled (the default), privilege elevation occurs and enables the
  backup to succeed even if the user does not have the privileges
  required to access all objects in the backup image. If the variable
  is disabled, privilege elevation does not occur and an error occurs
  if the user does not have the privileges required to access all
  objects.

* restore_elevation: To use the RESTORE statement, a user must have the
  RESTORE privilege for each database in the backup image. Assuming
  that this is true, the restore_elevation variable determines, in
  conjunction with whether the user also has the SUPER privilege,
  whether privilege elevation occurs internally. If this variable is
  enabled (the default) and the user has SUPER, privilege elevation
  occurs and enables the restore to succeed even if the user does not
  have the privileges required to access all objects in the backup
  image. If the variable is disabled or the user does not have SUPER,
  privilege elevation does not occur and an error occurs if the user
  does not have the required privileges privileges. In the absence of
  privilege elevation, the restore either performs privilege
  prechecking before attempting to restore objects or checks privileges
  for each object before restoring it. The restore_precheck variable
  determines whether prechecking occurs.

* restore_precheck: This variable determines whether privilege
  prechecking is used when the RESTORE statement does not use privilege
  elevation. (Elevation is not used if the restore_elevation variable
  is disabled or the user does not have the SUPER privilege.) When
  privilege elevation does not occur and restore_precheck is enabled
  (the default), the restore attempts to determine, before restoring
  any objects from the backup image, whether the user has all
  privileges required to access all the objects, and fails with an
  error if not. If restore_precheck is disabled, prechecking does not
  occur and the restore performs privilege checking for each object
  before restoring it. In this case, the restore operation could fail
  in the middle due to errors resulting from insufficient privileges.