Bug #45606 | ACL requires IPv4-mapped addresses to be used | ||
---|---|---|---|
Submitted: | 19 Jun 2009 10:10 | Modified: | 7 Mar 2010 2:15 |
Reporter: | Alexander Nozdrin | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: General | Severity: | S3 (Non-critical) |
Version: | 5.4 | OS: | Any |
Assigned to: | Alexander Nozdrin | CPU Architecture: | Any |
[19 Jun 2009 10:10]
Alexander Nozdrin
[30 Jun 2009 16:11]
Format Dynamics
I would also like to report the same behavior in Cluster 7.0.6. THere is also an additional problem with skip-resolve-names on. It seems that with this on, even the mapped addresses don't work as MySQL says it needs resolution turned on for mapped addresses to work. This seems incorrect behavior. --- ON SERVER # mysql -h localhost -P 3307 -p mysql Server version: 5.1.34-ndb-7.0.6-cluster-gpl-log MySQL Cluster Server (GPL) mysql> GRANT ALL ON mysql.* TO test@'::ffff:10.10.10.16'; Query OK, 0 rows affected, 1 warning (0.02 sec) mysql> show warnings; +---------+------+--------------------------------------------------------------------------------------------------------------+ | Level | Code | Message | +---------+------+--------------------------------------------------------------------------------------------------------------+ | Warning | 1285 | MySQL is started in --skip-name-resolve mode; you must restart it without this switch for this grant to work | +---------+------+--------------------------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.03 sec) mysql> select user,host from user where user='test'; +------+--------------------+ | user | host | +------+--------------------+ | test | ::ffff:10.10.10.16 | +------+--------------------+ 1 row in set (0.00 sec) --- ON CLIENT # mysql -h 10.10.10.17 -P 3307 -u test mysql ERROR 1045 (28000): Access denied for user 'test'@'::ffff:10.10.10.16' (using password: NO) This works though: mysql> GRANT ALL ON mysql.* TO test@'%10.10.10.16'; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) # mysql -h 10.10.10.17 -P 3307 -u test mysql mysql> Thanx, -Tony
[1 Jul 2009 10:56]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/77641 2805 Alexander Nozdrin 2009-07-01 A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used). The problem is that if IPv6 is available, getpeername() returns all addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped). The server uses the IP string returned by getpeername() to authorize connected clients. So, if ACL contains an ordinary IPv4 address, it will not be matched, because it is compared against IPv4-mapped address. The fix is to use ordinary IPv4 address if IPv4-mapped address is detected.
[2 Jul 2009 19:11]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/77822 2805 Alexander Nozdrin 2009-07-02 A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used). The problem is that if IPv6 is available, getpeername() returns all addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped). The server uses the IP string returned by getpeername() to authorize connected clients. So, if ACL contains an ordinary IPv4 address, it will not be matched, because it is compared against IPv4-mapped address. The fix is to use ordinary IPv4 address if IPv4-mapped address is detected.
[28 Jul 2009 15:52]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/79430 2805 Alexander Nozdrin 2009-07-28 A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used). The problem is that if IPv6 is available, getpeername() returns all addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped). The server uses the IP string returned by getpeername() to authorize connected clients. So, if ACL contains an ordinary IPv4 address, it will not be matched, because it is compared against IPv4-mapped address. The fix is to use ordinary IPv4 address if IPv4-mapped address is detected.
[5 Aug 2009 16:02]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/80182 2804 Alexander Nozdrin 2009-08-05 A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used). The problem is that if IPv6 is available, getpeername() returns all addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped). The server uses the IP string returned by getpeername() to authorize connected clients. So, if ACL contains an ordinary IPv4 address, it will not be matched, because it is compared against IPv4-mapped address. The fix is to use ordinary IPv4 addresses for IPv4-mapped or IPv4-compatible IPv6 addresses. A new build option has been also added to configure.in: --disable-ipv6. If this option is specified, all IPv6-specific code will be compiled out from the server. NOTE: if this option is misused, it may break the server: in IPv6-enabled environments, getnameinfo() will still return IPv6 addresses, but the server will not be able to handle that. @ configure.in HAVE_STRUCT_IN6_ADDR will be defined when IPv6 is supported.
[5 Aug 2009 17:40]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/80197 2843 Alexander Nozdrin 2009-08-05 A patch for Bug#45606 (ACL requires IPv4-mapped addresses to be used). The problem is that if IPv6 is available, getpeername() returns all addresses in IPv6 form (IPv4 addresses are returned as IPv4-mapped). The server uses the IP string returned by getpeername() to authorize connected clients. So, if ACL contains an ordinary IPv4 address, it will not be matched, because it is compared against IPv4-mapped address. The fix is to use ordinary IPv4 addresses for IPv4-mapped or IPv4-compatible IPv6 addresses. A new build option has been also added to configure.in: --disable-ipv6. If this option is specified, all IPv6-specific code will be compiled out from the server. NOTE: if this option is misused, it may break the server: in IPv6-enabled environments, getnameinfo() will still return IPv6 addresses, but the server will not be able to handle that.
[5 Aug 2009 17:58]
Alexander Nozdrin
Patch queued into azalea-bugfixing.
[24 Aug 2009 13:53]
Bugs System
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090824135126-2rngffvth14a8bpj) (version source revid:alik@sun.com-20090805173937-fcv1fdveodq5x9gb) (merge vers: 5.4.4-alpha) (pib:11)
[28 Aug 2009 13:28]
Jon Stephens
Documented bugfix in the 5.4.4 and NDB-7.0.7 changelogs as follows: For an IPv6-enabled MySQL server, privileges specified using standard IPv4 addresses for hosts were not matched (only IPv4-mapped addresses were handled correctly). As part of the fix for this bug, a new build option --disable-ipv6 has been introduced. Compiling MySQL with this option causes all IPv6-specific code in the server to be ignored. IMPORTANT: If the server is compiled using --disable-ipv6, it is not able to resolve hostnames correctly when run in an IPv6 environment. Closed.
[9 Oct 2009 23:19]
Paul DuBois
Noted in 6.0.14 changelog.
[3 Dec 2009 9:09]
Bugs System
Pushed into 5.6.0-beta (revid:alik@sun.com-20091202160026-699xnqx8c6a6t2lk) (version source revid:alik@sun.com-20091125105323-j82ts9ns936i45vv) (merge vers: 5.6.0-beta) (pib:13)
[3 Dec 2009 9:10]
Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091202161413-u81nw1foglcu7nao) (version source revid:alik@sun.com-20091125105553-vvedtv1bpmugb1nj) (merge vers: 6.0.14-alpha) (pib:13)
[3 Dec 2009 20:46]
Paul DuBois
Noted in 5.6.0 changelog. Already fixed in 6.0.x.
[6 Mar 2010 10:59]
Bugs System
Pushed into 5.5.3-m3 (revid:alik@sun.com-20100306103849-hha31z2enhh7jwt3) (version source revid:wlad@sol-20091204200504-9d3d3b6ad75ijkqo) (merge vers: 5.6.0-beta) (pib:16)
[7 Mar 2010 2:15]
Paul DuBois
Moved 5.6.0 changelog entry to 5.5.3.