WL#12445 Improve Windows named pipe access control

Limit default permissions granted to Everyone on the named pipe,
introduce a new system variable/command line option
named_pipe_full_access_group
defaulted to 'everyone' to allow users of older clients to continue
to access the named pipe.

RB: rb#21000

Author: Daniel Blanchard

mysql-test/r/mysqld--help-win.result

@@ -371,6 +371,9 @@ The following options may be given as the first argument:
  NULLS_EQUAL (emulate 4.0 behavior), and NULLS_IGNORED
  --myisam-use-mmap   Use memory mapping for reading and writing MyISAM tables
  --named-pipe        Enable the named pipe (NT)
+ --named-pipe-full-access-group=name 
+ Name of Windows group granted full access to the named
+ pipe
  --net-buffer-length=# 
  Buffer length for TCP/IP and socket communication
  --net-read-timeout=# 
@@ -873,6 +876,7 @@ myisam-sort-buffer-size 8388608
 myisam-stats-method nulls_unequal
 myisam-use-mmap FALSE
 named-pipe FALSE
+named-pipe-full-access-group everyone
 net-buffer-length 16384
 net-read-timeout 30
 net-retry-count 10

mysql-test/suite/perfschema/include/binlog_common.inc

@@ -10,7 +10,8 @@ select count(*) > 0 from performance_schema.setup_instruments;
 # to ensure the expected output in the binlog is predictable.
 update performance_schema.setup_instruments set enabled='NO'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+  "wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 
 select count(*) > 0 from performance_schema.events_waits_current;
 
@@ -28,14 +29,16 @@ insert into test.t1
 insert into test.t2
   select name from performance_schema.setup_instruments
     where name like "wait/synch/rwlock/sql/%"
-    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+    "wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 
 drop table test.t1;
 drop table test.t2;
 
 update performance_schema.setup_instruments set enabled='YES'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+  "wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 
 --source include/show_binlog_events.inc
 

mysql-test/suite/perfschema/r/binlog_mix.result

@@ -5,7 +5,8 @@ count(*) > 0
 1
 update performance_schema.setup_instruments set enabled='NO'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 select count(*) > 0 from performance_schema.events_waits_current;
 count(*) > 0
 1
@@ -18,12 +19,14 @@ select thread_id from performance_schema.events_waits_current;
 insert into test.t2
 select name from performance_schema.setup_instruments
 where name like "wait/synch/rwlock/sql/%"
-    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 drop table test.t1;
 drop table test.t2;
 update performance_schema.setup_instruments set enabled='YES'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 show binlog events from <binlog_start>;
 Log_name	Pos	Event_type	Server_id	End_log_pos	Info
 master-bin.000001	#	Query	#	#	BEGIN

mysql-test/suite/perfschema/r/binlog_row.result

@@ -5,7 +5,8 @@ count(*) > 0
 1
 update performance_schema.setup_instruments set enabled='NO'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 select count(*) > 0 from performance_schema.events_waits_current;
 count(*) > 0
 1
@@ -18,12 +19,14 @@ select thread_id from performance_schema.events_waits_current;
 insert into test.t2
 select name from performance_schema.setup_instruments
 where name like "wait/synch/rwlock/sql/%"
-    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 drop table test.t1;
 drop table test.t2;
 update performance_schema.setup_instruments set enabled='YES'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 show binlog events from <binlog_start>;
 Log_name	Pos	Event_type	Server_id	End_log_pos	Info
 master-bin.000001	#	Query	#	#	BEGIN

mysql-test/suite/perfschema/r/binlog_stmt.result

@@ -6,7 +6,8 @@ count(*) > 0
 1
 update performance_schema.setup_instruments set enabled='NO'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 Warnings:
 Note	1592	Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. The statement is unsafe because it uses the general log, slow query log, or performance_schema table(s). This is unsafe because system tables may differ on slaves.
 select count(*) > 0 from performance_schema.events_waits_current;
@@ -23,22 +24,25 @@ Note	1592	Unsafe statement written to the binary log using statement format sinc
 insert into test.t2
 select name from performance_schema.setup_instruments
 where name like "wait/synch/rwlock/sql/%"
-    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 Warnings:
 Note	1592	Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. The statement is unsafe because it uses the general log, slow query log, or performance_schema table(s). This is unsafe because system tables may differ on slaves.
 drop table test.t1;
 drop table test.t2;
 update performance_schema.setup_instruments set enabled='YES'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock");
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group");
 Warnings:
 Note	1592	Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. The statement is unsafe because it uses the general log, slow query log, or performance_schema table(s). This is unsafe because system tables may differ on slaves.
 show binlog events from <binlog_start>;
 Log_name	Pos	Event_type	Server_id	End_log_pos	Info
 master-bin.000001	#	Query	#	#	BEGIN
 master-bin.000001	#	Query	#	#	use `test`; update performance_schema.setup_instruments set enabled='NO'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock")
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group")
 master-bin.000001	#	Query	#	#	COMMIT
 master-bin.000001	#	Query	#	#	use `test`; DROP TABLE IF EXISTS `t1` /* generated by server */
 master-bin.000001	#	Query	#	#	use `test`; DROP TABLE IF EXISTS `t2` /* generated by server */
@@ -52,12 +56,14 @@ master-bin.000001	#	Query	#	#	BEGIN
 master-bin.000001	#	Query	#	#	use `test`; insert into test.t2
 select name from performance_schema.setup_instruments
 where name like "wait/synch/rwlock/sql/%"
-    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock")
+    and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group")
 master-bin.000001	#	Query	#	#	COMMIT
 master-bin.000001	#	Query	#	#	use `test`; DROP TABLE `t1` /* generated by server */
 master-bin.000001	#	Query	#	#	use `test`; DROP TABLE `t2` /* generated by server */
 master-bin.000001	#	Query	#	#	BEGIN
 master-bin.000001	#	Query	#	#	use `test`; update performance_schema.setup_instruments set enabled='YES'
   where name like "wait/synch/rwlock/sql/%"
-  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock")
+  and name not in ("wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock",
+"wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group")
 master-bin.000001	#	Query	#	#	COMMIT

mysql-test/suite/perfschema/r/dml_setup_instruments.result

@@ -16,7 +16,9 @@ wait/synch/mutex/sql/LOCK_crypt	YES	YES
 wait/synch/mutex/sql/LOCK_delayed_create	YES	YES
 select * from performance_schema.setup_instruments
 where name like 'Wait/Synch/Rwlock/sql/%'
-  and name not in ('wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock')
+  and name not in (
+'wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock',
+'wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group')
 order by name limit 10;
 NAME	ENABLED	TIMED
 wait/synch/rwlock/sql/LOCK_dboptions	YES	YES

mysql-test/suite/perfschema/t/dml_setup_instruments.test

@@ -25,7 +25,9 @@ select * from performance_schema.setup_instruments
 
 select * from performance_schema.setup_instruments
   where name like 'Wait/Synch/Rwlock/sql/%'
-  and name not in ('wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock')
+  and name not in (
+  'wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock',
+  'wait/synch/rwlock/sql/LOCK_named_pipe_full_access_group')
   order by name limit 10;
 
 # COND_handler_count is dependent on the build (Windows only)

mysql-test/suite/sys_vars/r/named_pipe_full_access_group_basic.result

@@ -0,0 +1,17 @@
+select @@global.named_pipe_full_access_group;
+@@global.named_pipe_full_access_group
+everyone
+select @@session.named_pipe_full_access_group;
+ERROR HY000: Variable 'named_pipe_full_access_group' is a GLOBAL variable
+show global variables like 'named_pipe_full_access_group';
+Variable_name	Value
+named_pipe_full_access_group	everyone
+show session variables like 'named_pipe_full_access_group';
+Variable_name	Value
+named_pipe_full_access_group	everyone
+select * from information_schema.global_variables where variable_name='named_pipe_full_access_group';
+VARIABLE_NAME	VARIABLE_VALUE
+NAMED_PIPE_FULL_ACCESS_GROUP	everyone
+select * from information_schema.session_variables where variable_name='named_pipe_full_access_group';
+VARIABLE_NAME	VARIABLE_VALUE
+NAMED_PIPE_FULL_ACCESS_GROUP	everyone

mysql-test/suite/sys_vars/t/named_pipe_full_access_group_basic.test

@@ -0,0 +1,15 @@
+--source include/windows.inc
+--source include/not_embedded.inc
+#
+# only global
+#
+select @@global.named_pipe_full_access_group;
+--error ER_INCORRECT_GLOBAL_LOCAL_VAR
+select @@session.named_pipe_full_access_group;
+show global variables like 'named_pipe_full_access_group';
+show session variables like 'named_pipe_full_access_group';
+--disable_warnings
+select * from information_schema.global_variables where variable_name='named_pipe_full_access_group';
+select * from information_schema.session_variables where variable_name='named_pipe_full_access_group';
+--enable_warnings
+

mysys/my_windac.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -214,6 +214,22 @@ void my_security_attr_free(SECURITY_ATTRIBUTES *sa)
   {
     My_security_attr *attr= (My_security_attr*)
                             (((char*)sa) + ALIGN_SIZE(sizeof(*sa)));
+
+    PACL dacl_from_descriptor= NULL;
+    BOOL dacl_present_in_descriptor= FALSE;
+    BOOL dacl_defaulted= FALSE;
+    // If the DACL in the descriptor is not the same as that in the
+    // My_security_attr, it will have been created by a call to SetEntriesInAcl
+    // and thus must be freed by a call to LocalFree.
+    if (GetSecurityDescriptorDacl(sa->lpSecurityDescriptor,
+      &dacl_present_in_descriptor,
+      &dacl_from_descriptor, &dacl_defaulted) &&
+      dacl_present_in_descriptor && !dacl_defaulted &&
+      attr->dacl != dacl_from_descriptor)
+    {
+      LocalFree(dacl_from_descriptor);
+    }
+
     FreeSid(attr->everyone_sid);
     my_free(attr->dacl);
     my_free(sa);

sql-common/client.c

@@ -429,12 +429,13 @@ HANDLE create_named_pipe(MYSQL *mysql, uint connect_timeout, char **arg_host,
   for (i=0 ; i < 100 ; i++)			/* Don't retry forever */
   {
     if ((hPipe = CreateFile(pipe_name,
-			    GENERIC_READ | GENERIC_WRITE,
-			    0,
-			    NULL,
-			    OPEN_EXISTING,
-			    FILE_FLAG_OVERLAPPED,
-			    NULL )) != INVALID_HANDLE_VALUE)
+                            FILE_READ_ATTRIBUTES | FILE_READ_DATA |
+                              FILE_WRITE_ATTRIBUTES | FILE_WRITE_DATA,
+                            0,
+                            NULL,
+                            OPEN_EXISTING,
+                            FILE_FLAG_OVERLAPPED,
+                            NULL )) != INVALID_HANDLE_VALUE)
       break;
     if (GetLastError() != ERROR_PIPE_BUSY)
     {

sql/CMakeLists.txt

@@ -82,6 +82,11 @@ SET (SQL_SOURCE
                ${CONF_SOURCES}
                ${MYSYS_LIBWRAP_SOURCE})
 
+IF(WIN32)
+  LIST(APPEND SQL_SOURCE named_pipe.cc)
+ENDIF()
+
+
 # These files have unused result errors, so we skip Werror
 CHECK_C_COMPILER_FLAG("-Werror" HAVE_WERROR_FLAG)
 IF(HAVE_WERROR_FLAG)