WL#12445: Improve Windows named pipe access control

Affects: Server-8.0   —   Status: Complete

In order to improve security when using named pipes on Windows to connect to the
MySQL Server, the permissions granted to clients on the named pipe created by
the MySQL server should be set to the minimum necessary for successful
communication.

Earlier versions of MySQL server granted more permissions than necessary to
named clients, and the earlier versions of clients requested more permissions
than necessary when connecting to the MySQL server named pipe.  Thus simply
reducing the permissions granted by the MySQL server to named pipe clients will
result in earlier versions of named pipe clients being unable to open named pipe
connections: they will instead receive an "access denied" error.  Note that
newer versions of MySQL clients should request fewer permissions on the MySQL
named pipe and thus successfully open named pipe connections without any
additional configuration (beyond enabling named pipe connections at the MySQL
server via the existing --enable-named-pipe command line option).

To support access to MySQL server via named pipes for older clients (until the
older clients are upgraded) this worklog introduces a new MySQL server startup
option/system variable named_pipe_full_access_group. The
named_pipe_full_access_group value is the name of a Windows local group whose
members have are granted sufficient access by the MySQL server to use older
named pipe clients.

The named_pipe_full_access_group value defaults to '*everyone*', indicating
that by default all users are granted full access to MySQL named pipe. This
means that by default older clients/connectors which request full access to the
MySQL named pipe will continue to work. In the next release of the MySQL server
(8.0.15), the use of '*everyone*' as the named_pipe_full_access_group value will
be deprecated, and should produce a warning. In the release after that(8.0.16),
the default value of named_pipe_full_access_group will be changed to the empty
string '' i.e. no Windows user will be granted full access to the named pipe.

The default value of '*everyone*' is treated as a special case by the
named_pipe_full_access_group and is always to the built in Windows group
identified by the SID S-1-1-0 (known as the World or Everyone SID). This special
case handling provides a Windows installation language independent way of
referring to the Everyone group.

The documentation of this new system variable should encourage systems
administrators to only create a Windows local group to allow access to older
clients if absolutely necessary, and then limit the membership of the group to
as low a number of users as possible, removing users from the group as and when
their client software is upgraded.