Commit a529188e authored by Alexey Botchkov's avatar Alexey Botchkov

MDEV-17456 Malicious SUPER user can possibly change audit log configuration without leaving traces.

The 'SET server_audit_logging ' statements should be logged no matter
what.
parent cd26cdcd
...@@ -212,6 +212,8 @@ select 2; ...@@ -212,6 +212,8 @@ select 2;
2 2
2 2
drop table t1; drop table t1;
set global server_audit_logging= off;
set global server_audit_logging= on;
set global server_audit_events=''; set global server_audit_events='';
set global server_audit_query_log_limit= 15; set global server_audit_query_log_limit= 15;
select (1), (2), (3), (4); select (1), (2), (3), (4);
...@@ -378,6 +380,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1=<secret>',ID ...@@ -378,6 +380,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1=<secret>',ID
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'insert into t1 values (1), (2)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'insert into t1 values (1), (2)',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= off',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0
......
...@@ -136,6 +136,9 @@ select * from t1; ...@@ -136,6 +136,9 @@ select * from t1;
select 2; select 2;
drop table t1; drop table t1;
set global server_audit_logging= off;
set global server_audit_logging= on;
set global server_audit_events=''; set global server_audit_events='';
set global server_audit_query_log_limit= 15; set global server_audit_query_log_limit= 15;
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
#define PLUGIN_VERSION 0x104 #define PLUGIN_VERSION 0x104
#define PLUGIN_STR_VERSION "1.4.4" #define PLUGIN_STR_VERSION "1.4.5"
#define _my_thread_var loc_thread_var #define _my_thread_var loc_thread_var
...@@ -1623,7 +1623,7 @@ static int log_statement_ex(const struct connection_info *cn, ...@@ -1623,7 +1623,7 @@ static int log_statement_ex(const struct connection_info *cn,
} }
if (query && !(events & EVENT_QUERY_ALL) && if (query && !(events & EVENT_QUERY_ALL) &&
(events & EVENT_QUERY)) (events & EVENT_QUERY && !cn->log_always))
{ {
const char *orig_query= query; const char *orig_query= query;
...@@ -2556,9 +2556,10 @@ static void log_current_query(MYSQL_THD thd) ...@@ -2556,9 +2556,10 @@ static void log_current_query(MYSQL_THD thd)
if (!ci_needs_setup(cn) && cn->query_length && if (!ci_needs_setup(cn) && cn->query_length &&
FILTER(EVENT_QUERY) && do_log_user(cn->user)) FILTER(EVENT_QUERY) && do_log_user(cn->user))
{ {
cn->log_always= 1;
log_statement_ex(cn, cn->query_time, thd_get_thread_id(thd), log_statement_ex(cn, cn->query_time, thd_get_thread_id(thd),
cn->query, cn->query_length, 0, "QUERY"); cn->query, cn->query_length, 0, "QUERY");
cn->log_always= 1; cn->log_always= 0;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment