[Bug 1396210] [NEW] Backporting the mysql_no_login plugin to 5.6

Norvald H. Ryeng norvald.ryeng at oracle.com
Tue Nov 25 15:42:56 UTC 2014


Public bug reported:

As agreed with Robie Basak (racb), I'm filing this request for
backporting a feature from 5.7 to the 5.6 stable branch so that it can
be considered by the SRU Team and returned as input to upstream.
Upstream is waiting for response from distros before deciding whether to
backport or not.


Background
==========

There's a new plugin in MySQL 5.7 that makes it possible to have
accounts that can't log in:
 
CREATE USER foo at localhost IDENTIFIED WITH 'mysql_no_login';
 
The mysql_no_login plugin simply denies all login attempts. This is
useful for users that are created, e.g., to serve as proxy users, or
as owners of stored programs/functions, views or events.
 
This new plugin doesn't fix known security defects in the server, but
does provide new and better means to harden security. Best practices
for security include application of least-required privileges, and in
some cases, that means no client connections for privileged
accounts. This new plugin provides means to implement such
restrictions in a standard way.
 
Because of the security benefits, upstream would proposes backporting
it to 5.6. This does not fall under the existing micro-release
exception for mysql-5.6, and so must be considered separately. In
consideration of the micro-release exception requirements, upstream
are interested in a decision for acceptance in an Ubuntu SRU before
making the change upstream, so that any change made, or not made, is
consistent across upstream, Ubuntu and any other distribution that
wish to follow suit.

We would like a +1 or a -1 from the SRU team (or Technical Board if
appropriate) on 1) backporting the plugin into the 5.6 source code,
and 2) for each of the options presented below.


Impact
======

If backported, the plugin would at least be available in the source
tarball. That doesn't mean it has to be distributed in Ubuntu:

 - A patch can be applied to remove the plugin from the source code
   before building (it's only a few lines of code).

 - Compilation of the plugin can be disabled.

 - It can be built but the resulting plugin binary can be left out of
   packages.

 - It can be built and packaged. The DBA still has to explicitly
   enable it and alter the user accounts to use it.


Proposed development fix
========================

Either 1) Build and package the plugin, or 2) allow the plugin in
source code, but don't package it (either by disabling it before
compilation or skipping the binary in packaging).

Fedora/Red Hat has +1'ed a backport:
http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2014-October/007195.html


Proposed stable fix
===================

Same as development fix.


Regression potential
====================

Upstream considers the regression potential to be very low.
 
 - Since this is a plugin, it doesn't touch server code.

 - All new code is in a plugin that must be enabled explicitly by the
   DBA.

 - The code itself is very simple. It's only one line of "real" code
   (unconditionally return authentication failure), plus necessary
   plugin plumbing to fill out the plugin API.

** Affects: mysql-5.6 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1396210

Title:
  Backporting the mysql_no_login plugin to 5.6

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1396210/+subscriptions



More information about the Ubuntu-server-bugs mailing list