Bug #27175716: KEYRING MIGRATION TOOL GENERATING THE KEYS WHICH CAN'T

               BE READ BY SERVER

Problem: Keyring migration tool creates backed file for destination
plugin if the file is not present. This file is created with OS user
as owner for this file. After migration when server is started with
destination keyring plugin, plugin will reject this file from reading.

Fix: Moved the migration specific code after calls to setgid and setuid
so that backend files for destination plugin is created with correct user.

(cherry picked from commit 46e91ea8a292f0fcbb9f193514f29375c5335205)

Author: Bharathy Satish

sql/migrate_keyring.cc

@@ -33,9 +33,9 @@ Migrate_keyring::Migrate_keyring()
 
 /**
   This function does the following:
-    1. Read command line arguments specific to migration operation
-    2. Get plugin_dir value.
-    3. Get a connection handle by connecting to server.
+    1. Validate all keyring migration specific options.
+    2. Get a connection handle by connecting to server if connection
+       specific options are set.
 
    @param [in] argc               Pointer to argc of original program
    @param [in] argv               Pointer to argv of original program
@@ -61,14 +61,6 @@ bool Migrate_keyring::init(int  argc,
 {
   DBUG_ENTER("Migrate_keyring::init");
 
-  my_option migration_options[]= {
-    {"basedir", 0, "", &mysql_home_ptr, 0,
-     0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-    {"plugin_dir", 0, "", &opt_plugin_dir_ptr, 0,
-      0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-
-    {0, 0, 0, 0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0}
-  };
   std::size_t found= std::string::npos;
   string equal("=");
   string so(".so");
@@ -120,17 +112,10 @@ bool Migrate_keyring::init(int  argc,
     DBUG_RETURN(true);
   }
 
-  if (my_handle_options(&m_argc, &m_argv, migration_options,
-                        NULL, NULL, TRUE))
-    DBUG_RETURN(true);
   /* Restore program name */
   m_argc++;
   m_argv--;
 
-  convert_dirname(opt_plugin_dir, opt_plugin_dir_ptr ? opt_plugin_dir_ptr :
-                                  PLUGINDIR, NullS);
-  opt_plugin_dir_ptr= opt_plugin_dir;
-
   /* if connect options are provided then initiate connection */
   if (migrate_connect_options)
   {

sql/migrate_keyring.h

@@ -35,20 +35,34 @@ enum enum_plugin_type
 class Key_info
 {
 public:
+  Key_info()
+    : m_key_id_len(0),
+      m_user_id_len(0)
+  {}
   Key_info(char     *key_id,
            char     *user_id)
   {
-    memcpy(m_key_id, key_id, strlen(key_id));
-    memcpy(m_user_id, user_id, strlen(user_id));
+    m_key_id_len= strlen(key_id);
+    memcpy(m_key_id, key_id, m_key_id_len);
+    m_key_id[m_key_id_len]= '\0';
+    m_user_id_len= strlen(user_id);
+    memcpy(m_user_id, user_id, m_user_id_len);
+    m_user_id[m_user_id_len]= '\0';
   }
   Key_info(const Key_info &ki)
   {
-    memcpy(this->m_key_id, ki.m_key_id, strlen(ki.m_key_id));
-    memcpy(this->m_user_id, ki.m_user_id, strlen(ki.m_user_id));
+    this->m_key_id_len= ki.m_key_id_len;
+    memcpy(this->m_key_id, ki.m_key_id, this->m_key_id_len);
+    this->m_key_id[this->m_key_id_len]= '\0';
+    this->m_user_id_len= ki.m_user_id_len;
+    memcpy(this->m_user_id, ki.m_user_id, this->m_user_id_len);
+    this->m_user_id[this->m_user_id_len]= '\0';
   }
 public:
   char     m_key_id[MAX_KEY_LEN];
+  int      m_key_id_len;
   char     m_user_id[USERNAME_LENGTH];
+  int      m_user_id_len;
 };
 
 class Migrate_keyring

sql/mysqld.cc

@@ -2955,49 +2955,6 @@ int init_common_variables()
     return 1;
   init_client_errs();
 
-  /*
-    initiate key migration if any one of the migration specific
-    options are provided.
-  */
-  if (opt_keyring_migration_source ||
-      opt_keyring_migration_destination ||
-      migrate_connect_options)
-  {
-    Migrate_keyring mk;
-    my_getopt_skip_unknown= TRUE;
-    if (mk.init(remaining_argc, remaining_argv,
-                opt_keyring_migration_source,
-                opt_keyring_migration_destination,
-                opt_keyring_migration_user,
-                opt_keyring_migration_host,
-                opt_keyring_migration_password,
-                opt_keyring_migration_socket,
-                opt_keyring_migration_port))
-    {
-      sql_print_error(ER_DEFAULT(ER_KEYRING_MIGRATION_STATUS),
-                      "failed");
-      log_error_dest= "stderr";
-      flush_error_log_messages();
-      return 1;
-    }
-
-    if (mk.execute())
-    {
-      sql_print_error(ER_DEFAULT(ER_KEYRING_MIGRATION_STATUS),
-                      "failed");
-      log_error_dest= "stderr";
-      flush_error_log_messages();
-      return 1;
-    }
-
-    my_getopt_skip_unknown= 0;
-    sql_print_information(ER_DEFAULT(ER_KEYRING_MIGRATION_STATUS),
-                          "sucessfull");
-    log_error_dest= "stderr";
-    flush_error_log_messages();
-    exit(MYSQLD_SUCCESS_EXIT);
-  }
-
   mysql_client_plugin_init();
   if (item_create_init())
     return 1;
@@ -4680,15 +4637,6 @@ int mysqld_main(int argc, char **argv)
   srand(static_cast<uint>(time(NULL)));
 #endif
 
-  /*
-    We have enough space for fiddling with the argv, continue
-  */
-  if (my_setwd(mysql_real_data_home,MYF(MY_WME)) && !opt_help)
-  {
-    sql_print_error("failed to set datadir to %s", mysql_real_data_home);
-    unireg_abort(MYSQLD_ABORT_EXIT);        /* purecov: inspected */
-  }
-
 #ifndef _WIN32
   if ((user_info= check_user(mysqld_user)))
   {
@@ -4733,6 +4681,56 @@ int mysqld_main(int argc, char **argv)
   }
 #endif // !_WIN32
 
+  /*
+   initiate key migration if any one of the migration specific
+   options are provided.
+  */
+  if (opt_keyring_migration_source ||
+      opt_keyring_migration_destination ||
+      migrate_connect_options)
+  {
+    Migrate_keyring mk;
+    if (mk.init(remaining_argc, remaining_argv,
+                opt_keyring_migration_source,
+                opt_keyring_migration_destination,
+                opt_keyring_migration_user,
+                opt_keyring_migration_host,
+                opt_keyring_migration_password,
+                opt_keyring_migration_socket,
+                opt_keyring_migration_port))
+    {
+      sql_print_error(ER_DEFAULT(ER_KEYRING_MIGRATION_STATUS),
+                      "failed");
+      log_error_dest= "stderr";
+      flush_error_log_messages();
+      unireg_abort(MYSQLD_ABORT_EXIT);
+    }
+
+    if (mk.execute())
+    {
+      sql_print_error(ER_DEFAULT(ER_KEYRING_MIGRATION_STATUS),
+                      "failed");
+      log_error_dest= "stderr";
+      flush_error_log_messages();
+      unireg_abort(MYSQLD_ABORT_EXIT);
+    }
+
+    sql_print_information(ER_DEFAULT(ER_KEYRING_MIGRATION_STATUS),
+                          "successfull");
+    log_error_dest= "stderr";
+    flush_error_log_messages();
+    unireg_abort(MYSQLD_SUCCESS_EXIT);
+  }
+
+  /*
+   We have enough space for fiddling with the argv, continue
+  */
+  if (my_setwd(mysql_real_data_home,MYF(MY_WME)) && !opt_help)
+  {
+    sql_print_error("failed to set datadir to %s", mysql_real_data_home);
+    unireg_abort(MYSQLD_ABORT_EXIT);        /* purecov: inspected */
+  }
+
   //If the binlog is enabled, one needs to provide a server-id
   if (opt_bin_log && !(server_id_supplied) )
   {