Viewing file:  mysqlaccess (108.18 KB) -rwxr-xr-x
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
#!/usr/bin/perl
# ****************************
package MySQLaccess;
#use strict;
use File::Temp qw(tempfile tmpnam);
use Fcntl;
BEGIN {
# ****************************
# static information...
$VERSION = "2.06, 20 Dec 2000";
$0 =~ m%/([^/]+)$%o;
$script = $1;
$script = 'MySQLAccess' unless $script;
$script_conf = "$script.conf";
$script_log = $ENV{'HOME'}."/$script.log";
# ****************************
# information on MySQL
$MYSQL = '/usr/bin/mysql'; # path to mysql executable
$SERVER = '3.21';
$MYSQL_OPT = ' --batch --unbuffered';
$ACCESS_DB = 'mysql'; # name of DB with grant-tables
$ACCESS_H = 'host'; #
$ACCESS_U = 'user'; #
$ACCESS_D = 'db'; #
# Add/Edit privileges
$ACCESS_H_TMP = 'host_tmp';
$ACCESS_U_TMP = 'user_tmp';
$ACCESS_D_TMP = 'db_tmp';
$ACCESS_H_BCK = 'host_backup';
$ACCESS_U_BCK = 'user_backup';
$ACCESS_D_BCK = 'db_backup';
$DIFF = '/usr/bin/diff';
$MYSQLDUMP = '/usr/bin/mysqldump';
#path to mysqldump executable
$MYSQLADMIN= 'http://foobar.com/MySQLadmin';
#URL of CGI for manipulating
#the temporary grant-tables
}
END {
unlink $MYSQL_CNF if defined $MYSQL_CNF and not $DEBUG;
}
$INFO = <<"_INFO";
--------------------------------------------------------------------------
mysqlaccess (Version $VERSION)
~~~~~~~~~~~
Copyright (C) 1997,1998 Yves.Carlier\@rug.ac.be
University of Ghent (RUG), Belgium
Administratieve Informatieverwerking (AIV)
report the access-privileges for a USER from a HOST to a DB
Many thanks go to and
for their suggestions, debugging and patches.
use `$script -?' to get more information on available options.
From version 2.0x, $script can also be used through a WEB-browser
if it is ran as a CGI-script. (See the release-notes)
--------------------------------------------------------------------------
_INFO
$OPTIONS = <<_OPTIONS;
Usage: $script [host [user [db]]] OPTIONS
-?, --help display this helpscreen and exit
-v, --version print information on the program `$script'
-u, --user=# username for logging in to the db
-p, --password=# validate password for user
-h, --host=# name or IP-number of the host
-d, --db=# name of the database
-U, --superuser=# connect as superuser
-P, --spassword=# password for superuser
-H, --rhost=# remote MySQL-server to connect to
--old_server connect to old MySQL-server (before v3.21) which
does not yet know how to handle full where clauses.
-b, --brief single-line tabular report
-t, --table report in table-format
--relnotes print release-notes
--plan print suggestions/ideas for future releases
--howto some examples of how to run `$script'
--debug=N enter debuglevel N (0..3)
--copy reload temporary grant-tables from original ones
--preview show differences in privileges after making
changes in (temporary) grant-tables
--commit copy grant-rules from temporary tables to grant-tables
(!don't forget to do an mysqladmin reload)
--rollback undo the last changes to the grant-tables.
Note:
+ At least the user and the db must be given (even with wildcards)
+ If no host is given, `localhost' is assumed
+ Wilcards (*,?,%,_) are allowed for host, user and db, but be sure
to escape them from your shell!! (ie type \\* or '*')
_OPTIONS
$RELEASE = <<'_RELEASE';
Release Notes:
-------------
0.1-beta1: internal
- first trial.
0.1-beta2: (1997-02-27)
- complete rewrite of the granting-rules, based on the documentation
found in de FAQ.
- IP-number and name for a host are equiv.
0.1-beta3: (1997-03-10)
- more information
- 'localhost' and the name/ip of the local machine are now equiv.
0.1-beta4: (1997-03-11)
- inform the user if he has not enough priv. to read the mysql db
1.0-beta1: (1997-03-12)
suggestions by Monty:
- connect as superuser with superpassword.
- mysqlaccess could also notice if all tables are empty. This means
that all user have full access!
- It would be nice if one could optionally start mysqlaccess without
any options just the arguments 'user db' or 'host user db', where
host is 'localhost' if one uses only two arguments.
1.0-beta2: (1997-03-14)
- bugfix: translation to reg.expr of \_ and \%.
- bugfix: error in matching regular expression and string given
by user which resulted in
'test_123' being matched with 'test'
1.0-beta3: (1997-03-14)
- bugfix: the user-field should not be treated as a sql-regexpr,
but as a plain string.
- bugfix: the host-table should not be used if the host isn't empty in db
or if the host isn't emty in user
(Monty)
1.0-beta4: (1997-03-14)
- bugfix: in an expression "$i = $j or $k", the '=' binds tighter than the or
which results in problems...
(by Monty)
- running mysqlaccess with "perl -w" gives less warnings... ;-)
1.0-beta5: (1997-04-04)
- bugfix: The table sorting was only being applied to the "user" table; all
the tables need to be sorted. Rewrote the sort algorithm, and
the table walk algorithm (no temp file anymore), and various
other cleanups. I believe the access calculation is 100% correct.
(by Paul D. Smith )
- Allow the debug level to be set on the cmd line with --debug=N.
(by Paul D. Smith )
- More -w cleanups; should be totally -w-clean.
(by Paul D. Smith )
1.1-beta1: (1997-04-xx)
1.1-beta2: (1997-04-11)
- new options:
--all_users : report access-rights for all possible users
--all_dbs : report access-rights for all possible dbs
--all_hosts : report access-rights for all possible hosts
--brief : as brief as possible, don't mention notes,warnings and rules
--password : validate password for user
- layout: long messages are wrapped on the report.
- functionality:
more descriptive notes and warnings
wildcards (*,?) are allowed in the user,host and db options
setting xxxx=* is equiv to using option --all_xxxx
note: make sure you escape your wildcards, so they don't get
interpreted by the shell. use \* or '*'
- bugfix: Fieldnames which should be skipped on the output can now have
a first capital letter.
- bugfix: any option with a '.' (eg ip-number) was interpreted as
a wildcard-expression.
- bugfix: When no entry was found in the db-table, the default accessrights are
N, instead of the faulty Y in a previous version.
1.1-beta-3 : (1997-04-xx)
1.1-beta-4 : (1997-04-xx)
1.1-beta-5 : (1997-04-xx)
1.1 : (1997-04-28)
- new options:
--rhost : name of mysql-server to connect to
--plan : print suggestions/ideas for future releases
--relnotes : display release-notes
--howto : display examples on how to use mysqlaccess
--brief : single-line tabular output
- functionality/bugfix:
* removed options --all_users,--all_dbs,--all_hosts, which
were redundant with the wildcard-expressions for the corresponding
options. They made the processing of the commandline too painful
and confusing ;-)
(suggested by psmith)
* redefined the option --brief, which now gives a single-line
tabular output
* Now we check if the right version of the mysql-client is used,
since we might use an option not yet implemented in an
older version (--unbuffered, since 3.0.18)
Also the error-messages the mysql-client reports are
better interpreted ;-)
* Wildcards can now be given following the SQL-expression
(%,_) and the Regular-expression (*,?) syntax.
- speed: we now open a bidirectional pipe to the mysql-client, and keep
it open throughout the whole run. Queries are written to,
and the answers read from the pipe.
(suggested by monty)
- bugfixes:
* the Rules were not properly reset over iterations
* when in different tables the field-names were not identical,
eg. Select_priv and select_priv, they were considered as
definitions of 2 different access-rights.
* the IP-number of a host with a name containing wildcards should
not be searched for in Name2IP and IP2Name.
* various other small things, pointed out by and
1.2 : (1997-05-13)
- bugfix:
* Fixed bug in acl with anonymous user: Now if one gets accepted by the
user table as a empty user name, the user name is set to '' when
checking against the 'db' and 'host' tables. (Bug fixed in MySQL3.20.19)
1.2-1 : (1997-xx-xx)
- bugfix:
* hashes should be initialized with () instead of {}
* "my" variable $name masks earlier declaration in same scope,
using perl 5.004
1.2-2 : (1997-06-10)
2.0p1-3 : (1997-10-xx)
- new
* packages
* log-file for debug-output : /tmp/mysqlaccess.log
* default values are read from a configuration file $script.conf
first this file is looked for in the current directory; if not
found it is looked for in /etc/
Note that when default-values are given, these can't get overriden
by empty (blanc) values!
* CGI-BIN version with HTML and forms interface. Simply place the
script in an ScriptAliased directory, make the configuration file
available in the that directory or in /etc, and point your browser
to the right URL.
* copy the grant-rules to temporary tables, where you are safe to
play with them.
* preview changes in privileges after changing grant-rules,
before taking them into production
* copy the new grant-rules from the temporary tables back to the
grant-tables.
* Undo all changes made in the grant-tables (1-level undo).
-new options:
* --table : as opposite of the --brief option.
* --copy : (re)load temporary grant-tables from original ones.
* --preview : preview changes in privileges after changing
some or more entries in the grant-tables.
* --commit : copy grant-rules from temporary tables to grant-tables
(!don't forget to do an mysqladmin reload)
* --rollback: undo the last changes to the grant-tables.
- bugfix:
* if the table db is empty, mysqlaccess freezed
(by X Zhu )
2.0 : (1997-10-09)
- fixed some "-w" warnings.
- complain when certain programs and paths can't be found.
2.01 : (1997-12-12)
- bugfix:
* rules for db-table where not calculated and reported correctly.
2.02 : (1998-01-xx)
- bugfix:
* Privileges of the user-table were not AND-ed properly with the
other privileges. (reported by monty)
- new option:
* --old_server: mysqlaccess will now use a full where clause when
retrieving information from the MySQL-server. If
you are connecting to an old server (before v3.21)
then use the option --old_server.
2.03 : (1998-02-27)
- bugfix:
* in Host::MatchTemplate: incorrect match if host-field was left empty.
2.04-alpha1 : (2000-02-11)
Closes vulnerability due to former implementation requiring passwords
to be passed on the command line.
- functionality
Option values for --password -p -spassword -P may now be omitted from
command line, in which case the values will be prompted for.
(fix supplied by Steve Harvey )
2.05: (2000-02-17) Monty
Moved the log file from /tmp to ~
2.06: Don't print '+++USING FULL WHERE CLAUSE+++'
_RELEASE
$TODO = <<_TODO;
Plans:
-----
-a full where clause is use now. How can we handle older servers?
-add some more functionality for DNS.
-select the warnings more carefuly.
>> I think that the warnings should either be enhanced to _really_
>> understand and report real problems accurately, or restricted to
>> only printing things that it knows with 100% certainty. > Why do I have both '%' and 'any_other_host' in there? Isn't that
>> the same thing? I think it's because I have an actual host '%' in
>> one of my tables. Probably the script should catch that and not
>> duplicate output.
_TODO
# From the FAQ: the Grant-algorithm
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# The host table is mainly to maintain a list of "secure" servers.
# At TCX hosts contain a list of all machines on local network. These are granted
# all privileges.
# Technically the user grant is calculated by:
#
# 1.First sort all entries by host by putting host without wildcards first,
# after this host with wildcards and entries with host = ".
# Under each host sort user by the same criterias.
# 2.Get grant for user from the "db" table.
# 3.If hostname is "empty" for the found entry, AND the privileges with
# the privileges for the host in "host" table.
# (Remove all which is not "Y" in both)
# 4.OR (add) the privileges for the user from the "user" table.
# (add all privileges which is "Y" in "user")
#
# When matching, use the first found match.
#
# -----------------------------------------------------------------------------------
$HOWTO = <<_HOWTO;
Examples of how to call $script:
~~~~~~~~
1)Calling $script with 2 arguments:
\$ $script root mysql
->report rights of user root logged on at the local host in db mysql
Access-rights
for USER 'root', from HOST 'localhost', to DB 'mysql'
+-----------------+---+ +-----------------+---+
bool(false)
|