MDEV-17456 Malicious SUPER user can possibly change audit log configu…

…ration without leaving traces. Fix for the SET GLOBAL server_audit_loggin=on; added.
MariaDB · May 19, 2019 · d4e9a50 · d4e9a50
1 parent 395ce1d
commit d4e9a50
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/mysql-test/suite/plugins/r/server_audit.result b/mysql-test/suite/plugins/r/server_audit.result
@@ -271,6 +271,7 @@ TIME,HOSTNAME,root,localhost,ID,0,CONNECT,mysql,,0
 TIME,HOSTNAME,root,localhost,ID,0,DISCONNECT,mysql,,0
 TIME,HOSTNAME,no_such_user,localhost,ID,0,FAILED_CONNECT,,,ID
 TIME,HOSTNAME,no_such_user,localhost,ID,0,DISCONNECT,,,0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_incl_users=\'odin, dva, tri\'',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_incl_users=\'odin, root, dva, tri\'',0
 TIME,HOSTNAME,root,localhost,ID,ID,CREATE,test,t2,
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'create table t2 (id int)',0
@@ -381,6 +382,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY ***
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'insert into t1 values (1), (2)',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= off',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= on',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0

diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c
@@ -15,7 +15,7 @@
 
 
 #define PLUGIN_VERSION 0x104
-#define PLUGIN_STR_VERSION "1.4.5"
+#define PLUGIN_STR_VERSION "1.4.6"
 
 #define _my_thread_var loc_thread_var
 
@@ -2022,10 +2022,14 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
   update_connection_info(cn, event_class, ev, &after_action);
 
   if (!logging)
+  {
+    if (cn)
+      cn->log_always= 0;
     goto exit_func;
+  }
 
   if (event_class == MYSQL_AUDIT_GENERAL_CLASS && FILTER(EVENT_QUERY) &&
-      cn && do_log_user(cn->user))
+      cn && (cn->log_always || do_log_user(cn->user)))
   {
     const struct mysql_event_general *event =
       (const struct mysql_event_general *) ev;
@@ -2038,6 +2042,7 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
     {
       log_statement(cn, event, "QUERY");
       cn->query_length= 0; /* So the log_current_query() won't log this again. */
+      cn->log_always= 0;
     }
   }
   else if (event_class == MYSQL_AUDIT_TABLE_CLASS && FILTER(EVENT_TABLE) && cn)
@@ -2108,8 +2113,6 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
       break;
     }
   }
-  if (cn)
-    cn->log_always= 0;
   flogger_mutex_unlock(&lock_operations);
 }
 
@@ -2553,8 +2556,7 @@ static void log_current_query(MYSQL_THD thd)
   if (!thd)
     return;
   cn= get_loc_info(thd);
-  if (!ci_needs_setup(cn) && cn->query_length &&
-      FILTER(EVENT_QUERY) && do_log_user(cn->user))
+  if (!ci_needs_setup(cn) && cn->query_length)
   {
     cn->log_always= 1;
     log_statement_ex(cn, cn->query_time, thd_get_thread_id(thd),
@@ -2814,6 +2816,7 @@ static void update_logging(MYSQL_THD thd,
     {
       CLIENT_ERROR(1, "Logging was disabled.", MYF(ME_JUST_WARNING));
     }
+    mark_always_logged(thd);
   }
   else
   {