Features #1103 and #1104

Bind on 0.0.0.0 by default #1103 and don't allow remote login from standard users Do not listen on unix socket domain by default #1104 #1104
9 years ago · 1ada33a048
parent dc3664ac33
commit 1ada33a048
4 changed files with 69 additions and 7 deletions
--- a/etc/proxysql.cnf
+++ b/etc/proxysql.cnf
@ -11,7 +11,8 @@ datadir="/var/lib/proxysql"
 admin_variables=
 {
 	admin_credentials="admin:admin"
-	mysql_ifaces="127.0.0.1:6032;/tmp/proxysql_admin.sock"
+#	mysql_ifaces="127.0.0.1:6032;/tmp/proxysql_admin.sock"
+	mysql_ifaces="0.0.0.0:6032"
 #	refresh_interval=2000
 #	debug=true
 }
@ -24,7 +25,8 @@ mysql_variables=
 	default_query_timeout=36000000
 	have_compress=true
 	poll_timeout=2000
-	interfaces="0.0.0.0:6033;/tmp/proxysql.sock"
+#	interfaces="0.0.0.0:6033;/tmp/proxysql.sock"
+	interfaces="0.0.0.0:6033"
 	default_schema="information_schema"
 	stacksize=1048576
 	server_version="5.5.30"
--- a/lib/MySQL_Session.cpp
+++ b/lib/MySQL_Session.cpp
@ -3051,9 +3051,68 @@ void MySQL_Session::handler___status_CONNECTING_CLIENT___STATE_SERVER_HANDSHAKE(
 				__sync_add_and_fetch(&MyHGM->status.client_connections_aborted,1);
 				client_myds->DSS=STATE_SLEEP;
 			} else {
-				client_myds->myprot.generate_pkt_OK(true,NULL,NULL,2,0,0,0,0,NULL);
-				status=WAITING_CLIENT_DATA;
-				client_myds->DSS=STATE_CLIENT_AUTH_OK;
+				if (
+					( default_hostgroup==ADMIN_HOSTGROUP && strcmp(client_myds->myconn->userinfo->username,(char *)"admin")==0 )
+					||
+					( default_hostgroup==STATS_HOSTGROUP && strcmp(client_myds->myconn->userinfo->username,(char *)"stats")==0 )
+					||
+					( default_hostgroup < 0 && strcmp(client_myds->myconn->userinfo->username,(char *)"monitor")==0 )
+				) {
+					char *client_addr = NULL;
+					union {
+						struct sockaddr_in in;
+						struct sockaddr_in6 in6;
+					} custom_sockaddr;
+					struct sockaddr *addr=(struct sockaddr *)malloc(sizeof(custom_sockaddr));
+					socklen_t addrlen=sizeof(custom_sockaddr);
+					memset(addr, 0, sizeof(custom_sockaddr));
+					int rc = 0;
+					rc = getpeername(client_myds->fd, addr, &addrlen);
+					if (rc == 0) {
+						char buf[512];
+						switch (addr->sa_family) {
+							case AF_INET: {
+								struct sockaddr_in *ipv4 = (struct sockaddr_in *)addr;
+								inet_ntop(addr->sa_family, &ipv4->sin_addr, buf, INET_ADDRSTRLEN);
+								client_addr = strdup(buf);
+								break;
+							}
+							case AF_INET6: {
+								struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)addr;
+								inet_ntop(addr->sa_family, &ipv6->sin6_addr, buf, INET6_ADDRSTRLEN);
+								client_addr = strdup(buf);
+								break;
+							}
+							default:
+								client_addr = strdup((char *)"localhost");
+								break;
+						}
+					} else {
+						client_addr = strdup((char *)"");
+					}
+					if (
+						(strcmp(client_addr,(char *)"127.0.0.1")==0)
+						||
+						(strcmp(client_addr,(char *)"localhost")==0)
+					) {
+						// we are good!
+						client_myds->myprot.generate_pkt_OK(true,NULL,NULL,2,0,0,0,0,NULL);
+						status=WAITING_CLIENT_DATA;
+						client_myds->DSS=STATE_CLIENT_AUTH_OK;
+					} else {
+						char *a=(char *)"User '%s' can only connect locally";
+						char *b=(char *)malloc(strlen(a)+strlen(client_myds->myconn->userinfo->username));
+						sprintf(b,a,client_myds->myconn->userinfo->username);
+						client_myds->myprot.generate_pkt_ERR(true,NULL,NULL,2,1040,(char *)"42000", b);
+						free(b);
+					}
+					free(client_addr);
+				} else {
+					// we are good!
+					client_myds->myprot.generate_pkt_OK(true,NULL,NULL,2,0,0,0,0,NULL);
+					status=WAITING_CLIENT_DATA;
+					client_myds->DSS=STATE_CLIENT_AUTH_OK;
+				}
 			}
 		} else {
 			// use SSL
--- a/lib/MySQL_Thread.cpp
+++ b/lib/MySQL_Thread.cpp
@ -1902,7 +1902,8 @@ void MySQL_Threads_Handler::start_listeners() {
 	char *_tmp=NULL;
 	_tmp=GloMTH->get_variable((char *)"interfaces");
 	if (strlen(_tmp)==0) {
-		GloMTH->set_variable((char *)"interfaces", (char *)"0.0.0.0:6033;/tmp/proxysql.sock"); // set default
+		//GloMTH->set_variable((char *)"interfaces", (char *)"0.0.0.0:6033;/tmp/proxysql.sock"); // set default
+		GloMTH->set_variable((char *)"interfaces", (char *)"0.0.0.0:6033"); // changed. See isseu #1104
 	}
 	free(_tmp);
 	tokenizer_t tok = tokenizer( variables.interfaces, ";", TOKENIZER_NO_EMPTIES );
--- a/lib/ProxySQL_Admin.cpp
+++ b/lib/ProxySQL_Admin.cpp
@ -2600,7 +2600,7 @@ ProxySQL_Admin::ProxySQL_Admin() {
 	if (GloVars.__cmd_proxysql_admin_socket) {
 		variables.mysql_ifaces=strdup(GloVars.__cmd_proxysql_admin_socket);
 	} else {
-		variables.mysql_ifaces=strdup("127.0.0.1:6032");
+		variables.mysql_ifaces=strdup("0.0.0.0:6032"); // changed. See isseu #1103
 	}
 	variables.telnet_admin_ifaces=NULL;
 	variables.telnet_stats_ifaces=NULL;