WL#12670: Warn when using 'everyone' for named_pipe_full_access_group
Affects: Server-8.0 — Status: Complete
See WL#12445 Improve Windows named pipe access control This worklog is a step on the way to changing the default value of the named_pipe_full_access_group system variable from '*everyone*' (insecure by default) to '' (i.e. no-one: secure by default). Starting with MySQL server version 5.6.x, 5.7.x and 8.0.17, the server should both raise and log a warning message when the named_pipe_full_access_group system variable is set to a value that maps to the built in Windows Everyone group (SID S-1-1-0). The idea is to encourage the MySQL server DBA to select a different Windows group with a smaller membership than 'everyone', and to encourage third party named pipe connector developers to modify their code to request fewer permissions on the MySQL named pipe. Named pipe connectors that request limited permission on the MySQL named pipe can open the named pipe without requiring the Windows user running the connector to be a member of the Windows group indicated by the named_pipe_full_access_group system variable. Note that checking the state of the named_pipe_full_access_group should be performed in a language independent fashion, as the string used to identify the Everyone group varies with the Windows default system language.
Functional requirements: F-1: If the string value assigned to the named_pipe_full_access_group system variable during MySQL server start up corresponds to the Windows 'Everyone' group AND named pipes are enabled then a warning message SHALL be written to the error log. F-2: If the named_pipe_full_access_group system variable's value is modified after MySQL server startup to a value that corresponds to the Windows 'Everyone' group then a warning message SHALL be written to the error log and raised to the client. F-3: The string "*everyone*" SHALL be treated as a Windows System Language independent name for the Windows 'Everyone' group.
The warning message written to the error log when the named_pipe_full_access_group system variable is updated to a value corresponding to the 'Everyone' windows group is of the form: Setting named_pipe_full_access_group='%s' is insecure. Consider using a Windows group with fewer members. Where %s is replaced with the value used to update the named_pipe_full_access_group system variable. Note that the 'Everyone' group name is localized on Windows by the configured Windows System Language - for example, on a French system the Everyone group name is 'Tout le monde'.
In order to determine whether the new value of the named_pipe_full_access system variable corresponds to the 'Everyone' group in a Windows System language independent fashion, the new group name will be converted to its corresponding Windows Security Identified (SID). The new group name's SID can then be easily compared with the "well known" SID corresponding to the 'Everyone' group (identified by the WinWorldSid SID type) using the EqualSid Windows API function. Note that new group name values of null pointer and the empty string are valid and correspond to no group - which is NOT the same as the 'Everyone' group. The '*everyone*' value will have to be treated as a special case which is treated as always matching the 'Everyone' group regardless of Windows System language.
Copyright (c) 2000, 2020, Oracle Corporation and/or its affiliates. All rights reserved.