Bug#31430086: USER CAN ESCALATE PRIVILEGES USING SET PASSWORD COMMAND TO DROP ALL PARTIAL REVOKES

harinvadodaria · dahlerlend · commit a57c62e6f5dd · 2020-06-10T08:47:33.000+02:00
Description: A subclass of ACL DDLs can potentially update
             in-memory structures that manages partial
             revokes in incorrect manner.

Fix: In-memory updates for partial revokes structures
     should be conditional. Only when partial revokes
     are truely updated, these structures need updates.
     This patch also covers fix for an issue in
     RENAME USER when partial revokes are present.

RB: 24567
diff --git a/sql/auth/sql_auth_cache.cc b/sql/auth/sql_auth_cache.cc
@@ -2677,6 +2677,11 @@ void acl_update_user(const char *user, const char *host, enum SSL_type ssl_type,
                    ("Updates global privilege for %s@%s to %lu", acl_user->user,
                     acl_user->host.get_host(), privileges));
         acl_user->access = privileges;
+        if (what_to_update.m_what & USER_ATTRIBUTES &&
+            (what_to_update.m_user_attributes &
+             acl_table::USER_ATTRIBUTE_RESTRICTIONS))
+          acl_restrictions->upsert_restrictions(acl_user, restrictions);
+
         if (mqh->specified_limits & USER_RESOURCES::QUERIES_PER_HOUR)
           acl_user->user_resource.questions = mqh->questions;
         if (mqh->specified_limits & USER_RESOURCES::UPDATES_PER_HOUR)
@@ -2757,7 +2762,6 @@ void acl_update_user(const char *user, const char *host, enum SSL_type ssl_type,
           acl_user->password_require_current =
               password_life.update_password_require_current;
         }
-        acl_restrictions->upsert_restrictions(acl_user, restrictions);
 
         /* search complete: */
         break;
diff --git a/sql/auth/sql_user.cc b/sql/auth/sql_user.cc
@@ -1754,8 +1754,11 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
            */
           idx--;
         } else if (user_to) {
+          auto restrictions = acl_restrictions->find_restrictions(acl_user);
+          acl_restrictions->remove_restrictions(acl_user);
           acl_user->set_user(&global_acl_memory, user_to->user.str);
           acl_user->set_host(&global_acl_memory, user_to->host.str);
+          acl_restrictions->upsert_restrictions(acl_user, restrictions);
 
           rebuild_cached_acl_users_for_name();
         } else {
