WL#12445: Improve Windows named pipe access control
Affects: Server-8.0 — Status: Complete
In order to improve security when using named pipes on Windows to connect to the MySQL Server, the permissions granted to clients on the named pipe created by the MySQL server should be set to the minimum necessary for successful communication. Earlier versions of MySQL server granted more permissions than necessary to named clients, and the earlier versions of clients requested more permissions than necessary when connecting to the MySQL server named pipe. Thus simply reducing the permissions granted by the MySQL server to named pipe clients will result in earlier versions of named pipe clients being unable to open named pipe connections: they will instead receive an "access denied" error. Note that newer versions of MySQL clients should request fewer permissions on the MySQL named pipe and thus successfully open named pipe connections without any additional configuration (beyond enabling named pipe connections at the MySQL server via the existing --enable-named-pipe command line option). To support access to MySQL server via named pipes for older clients (until the older clients are upgraded) this worklog introduces a new MySQL server startup option/system variable named_pipe_full_access_group. The named_pipe_full_access_group value is the name of a Windows local group whose members have are granted sufficient access by the MySQL server to use older named pipe clients. The named_pipe_full_access_group value defaults to '*everyone*', indicating that by default all users are granted full access to MySQL named pipe. This means that by default older clients/connectors which request full access to the MySQL named pipe will continue to work. In the next release of the MySQL server (8.0.15), the use of '*everyone*' as the named_pipe_full_access_group value will be deprecated, and should produce a warning. In the release after that(8.0.16), the default value of named_pipe_full_access_group will be changed to the empty string '' i.e. no Windows user will be granted full access to the named pipe. The default value of '*everyone*' is treated as a special case by the named_pipe_full_access_group and is always to the built in Windows group identified by the SID S-1-1-0 (known as the World or Everyone SID). This special case handling provides a Windows installation language independent way of referring to the Everyone group. The documentation of this new system variable should encourage systems administrators to only create a Windows local group to allow access to older clients if absolutely necessary, and then limit the membership of the group to as low a number of users as possible, removing users from the group as and when their client software is upgraded.
FR-1 The MySQL server SHALL restrict permissions granted to the Windows group "Everyone" on the named pipes created by the MySQL server on Windows to the minimum necessary for successful connection and communication. FR-2 The MySQL client connectors and mysqlclient.lib SHALL only request the minimum permissions necessary for successful connection and communication when opening named pipes created by the MySQL server on Windows. FR-3 A new system variable / start-up option named_pipe_full_access_group SHALL be introduced. FR-3.1 Valid values for named_pipe_full_access_group SHALL be an empty string, the string '*everyone*' or a string naming an existing Windows group. FR-3.2 The default value SHALL be '*everyone*'. FR-3.3 The named_pipe_full_access_group setting SHALL have no effect if enable_named_pipe is not set ON. FR-3.4 If an invalid value for named_pipe_full_access_group is provided at startup, the server will log an error and fail to start.
The following assumes that enable_named_pipe is ON. The MySQL server will set permissions for the "Everyone" group on named pipes that it creates to allow named pipe connections from any Windows user using client software that requests limited access (FILE_READ_ATTRIBUTES | FILE_READ_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_DATA | SYNCHRONIZE | READ_CONTROL) to the named pipe when connecting to it. IFF the named_pipe_full_access_group is set to the name of an existing Windows group, the MySQL server will set permissions on named pipes that it creates to allow members of the named Windows group full access (GENERIC_READ | GENERIC_WRITE) to the named pipe when connecting to it. This will allow Windows users that are members of the named Windows group to use older client software to make named pipe connections. If the named_pipe_full_access_group is set to an empty string, no Windows user (other than the Windows user running the MySQL server process) will be granted full access to the named pipes created by the MySQL server. Error Handling: At MySQL server startup, if the named_pipe_full_access_group is not empty and is not set to a valid Windows group name, an error message will be logged and the MySQL server will fail to start. If an attempt is made to set the named_pipe_full_access_group to an invalid value when the server is running, the named_pipe_full_access_group value remains unchanged and an error message is returned.
Copyright (c) 2000, 2019, Oracle Corporation and/or its affiliates. All rights reserved.