On Friday 19 January 2001 11:16, Andreas Steinmetz wrote:
>Referring to my post "instant slave crash (signal 11) on 'set password'" to
>[EMAIL PROTECTED]:
>
>The scenario is still valid for 3.23.31. This means that any valid mysql user
>can cause the replicating slaves to crash using the 'set password' command.
>
>So any valid user can even unintendedly cause a denial of service condition
for
>the mysql slaves, as any valid user is allowed to use the 'set password'
>command to change his or her password.
>
>This is a real bad problem. Could somebody of the mysql team please look into
>this?
Fix:
===== sql_acl.cc 1.23 vs edited =====
--- 1.23/sql/sql_acl.cc Fri Oct 6 12:14:45 2000
+++ edited/sql_acl.cc Fri Jan 19 12:04:58 2001
@@ -781,8 +781,8 @@
length=(uint) strlen(new_password);
new_password[length & 16]=0;
- if (!thd || strcmp(thd->user,user) ||
- my_strcasecmp(host,thd->host ? thd->host : thd->ip))
+ if (!thd || (!thd->slave_thread && ( strcmp(thd->user,user) ||
+ my_strcasecmp(host,thd->host ? thd->host : thd->ip))))
{
if (check_access(thd, UPDATE_ACL, "mysql",0,1))
return 1;
I have now extended rpl000001 test case to test this also.
--
MySQL Development Team
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sasha Pachev <[EMAIL PROTECTED]>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Provo, Utah, USA
<___/
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php