| Bug #81591 | Audit Log Filtering user is compared against USER() not CURRENT_USER() | ||
|---|---|---|---|
| Submitted: | 25 May 2016 10:19 | Modified: | 20 Jun 2016 18:24 |
| Reporter: | Marek Szymczak | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Security: Audit | Severity: | S3 (Non-critical) |
| Version: | 5.7.12 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[20 Jun 2016 18:23]
Paul DuBois
Posted by developer: Noted in 5.6.32, 5.7.14 changelogs. Audit log filtering against the user was performing comparisons against USER(), not CURRENT_USER().
[20 Jun 2016 18:24]
Paul DuBois
Posted by developer: Noted in 5.6.32, 5.7.14 changelogs. Audit log filtering against the user was performing comparisons against USER(), not CURRENT_USER().
[22 Jun 2016 13:04]
Paul DuBois
Posted by developer: Correction: Push to 5.6.32 is a partial patch only. Noted only in 5.7.14 changelog.
Description: Audit log filtering user matching is made on USER() data not CURRENT_USER(), which represents account user/host. Additionally on connect failure, priv_user, priv_host does not carry failed account user/host data. How to repeat: mysql> CREATE USER 'audit_log_user'; mysql> GRANT ALL ON *.* TO 'audit_log_user'; mysql> SELECT audit_log_filter_set_filter(‘all_enabled’, ‘{ “filter”: { “log”: true } }’) AS ‘Result’; mysql> SELECT audit_log_filter_set_user('audit_log_user@%', 'all_enabled') AS 'Result'; Suggested fix: Account user / host should be taken from priv_user and priv_host.