Fix confirmed.
Thanks for the fast response!
On 19-Jan-2001 Sasha Pachev wrote:
> On Friday 19 January 2001 11:16, Andreas Steinmetz wrote:
>>Referring to my post "instant slave crash (signal 11) on 'set password'" to
>>[EMAIL PROTECTED]:
>>
>>The scenario is still valid for 3.23.31. This means that any valid mysql user
>>can cause the replicating slaves to crash using the 'set password' command.
>>
>>So any valid user can even unintendedly cause a denial of service condition
> for
>>the mysql slaves, as any valid user is allowed to use the 'set password'
>>command to change his or her password.
>>
>>This is a real bad problem. Could somebody of the mysql team please look into
>>this?
>
> Fix:
>
> ===== sql_acl.cc 1.23 vs edited =====
> --- 1.23/sql/sql_acl.cc Fri Oct 6 12:14:45 2000
> +++ edited/sql_acl.cc Fri Jan 19 12:04:58 2001
> @@ -781,8 +781,8 @@
> length=(uint) strlen(new_password);
> new_password[length & 16]=0;
>
> - if (!thd || strcmp(thd->user,user) ||
> - my_strcasecmp(host,thd->host ? thd->host : thd->ip))
> + if (!thd || (!thd->slave_thread && ( strcmp(thd->user,user) ||
> + my_strcasecmp(host,thd->host ? thd->host : thd->ip))))
> {
> if (check_access(thd, UPDATE_ACL, "mysql",0,1))
> return 1;
>
>
> I have now extended rpl000001 test case to test this also.
>
> --
> MySQL Development Team
> __ ___ ___ ____ __
> / |/ /_ __/ __/ __ \/ / Sasha Pachev <[EMAIL PROTECTED]>
> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
> /_/ /_/\_, /___/\___\_\___/ Provo, Utah, USA
> <___/
>
Andreas Steinmetz
D.O.M. Datenverarbeitung GmbH
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
