WL#12445: Improve Windows named pipe access control

Affects: Server-8.0   —   Status: Complete   —   Priority: Medium

In order to improve security when using named pipes on Windows to connect to the
MySQL Server, the permissions granted to clients on the named pipe created by
the MySQL server should be set to the minimum necessary for successful
communication.

Earlier versions of MySQL server granted more permissions than necessary to
named clients, and the earlier versions of clients requested more permissions
than necessary when connecting to the MySQL server named pipe.  Thus simply
reducing the permissions granted by the MySQL server to named pipe clients will
result in earlier versions of named pipe clients being unable to open named pipe
connections: they will instead receive an "access denied" error.  Note that
newer versions of MySQL clients should request fewer permissions on the MySQL
named pipe and thus successfully open named pipe connections without any
additional configuration (beyond enabling named pipe connections at the MySQL
server via the existing --enable-named-pipe command line option).

To support access to MySQL server via named pipes for older clients (until the
older clients are upgraded) this worklog introduces a new MySQL server startup
option/system variable named_pipe_full_access_group. The
named_pipe_full_access_group value is the name of a Windows local group whose
members have are granted sufficient access by the MySQL server to use older
named pipe clients.

The named_pipe_full_access_group value defaults to '*everyone*', indicating
that by default all users are granted full access to MySQL named pipe. This
means that by default older clients/connectors which request full access to the
MySQL named pipe will continue to work. In the next release of the MySQL server
(8.0.15), the use of '*everyone*' as the named_pipe_full_access_group value will
be deprecated, and should produce a warning. In the release after that(8.0.16),
the default value of named_pipe_full_access_group will be changed to the empty
string '' i.e. no Windows user will be granted full access to the named pipe.

The default value of '*everyone*' is treated as a special case by the
named_pipe_full_access_group and is always to the built in Windows group
identified by the SID S-1-1-0 (known as the World or Everyone SID). This special
case handling provides a Windows installation language independent way of
referring to the Everyone group.

The documentation of this new system variable should encourage systems
administrators to only create a Windows local group to allow access to older
clients if absolutely necessary, and then limit the membership of the group to
as low a number of users as possible, removing users from the group as and when
their client software is upgraded.
FR-1
The MySQL server SHALL restrict permissions granted to the Windows group
"Everyone" on the named pipes created by the MySQL server on Windows to the
minimum necessary for successful connection and communication.

FR-2
The MySQL client connectors and mysqlclient.lib SHALL only request the minimum
permissions necessary for successful connection and communication when opening
named pipes created by the MySQL server on Windows.

FR-3
A new system variable / start-up option named_pipe_full_access_group SHALL be
introduced.

FR-3.1
Valid values for named_pipe_full_access_group  SHALL be an empty string, the
string '*everyone*' or a string naming an existing Windows 
group.

FR-3.2
The default value SHALL be '*everyone*'.

FR-3.3
The named_pipe_full_access_group setting SHALL have no effect if
enable_named_pipe is not set ON.

FR-3.4
If an invalid value for named_pipe_full_access_group is provided at startup, the
server will log an error and fail to start.
The following assumes that enable_named_pipe is ON.

The MySQL server will set permissions for the "Everyone" group on named pipes
that it creates to allow named pipe connections from any Windows user using
client software that requests limited access (FILE_READ_ATTRIBUTES |
FILE_READ_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_DATA | SYNCHRONIZE |
READ_CONTROL) to the named pipe when connecting to it.

IFF the named_pipe_full_access_group is set to the name of an existing Windows
group, the MySQL server will set permissions on named pipes that it creates to
allow members of the named Windows group full access (GENERIC_READ |
GENERIC_WRITE) to the named pipe when connecting to it.  This will allow Windows
users that are members of the named Windows group to use older client software
to make named pipe connections.

If the named_pipe_full_access_group is set to an empty string, no Windows user
(other than the Windows user running the MySQL server process) will be granted
full access to the named pipes created by the MySQL server.

Error Handling:
At MySQL server startup, if the named_pipe_full_access_group is not empty and
is not set to a valid Windows group name, an error message will be logged and
the MySQL server will fail to start.

If an attempt is made to set the named_pipe_full_access_group to an invalid
value when the server is running, the named_pipe_full_access_group value
remains unchanged and an error message is returned.