privilege: fix auth_socket bug, should only allow os user name to l…

…ogin (pingcap#54032) close pingcap#54031
yzhan1 · Jun 19, 2024 · b5316a5 · b5316a5
1 parent a603af9
commit b5316a5
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/pkg/privilege/privileges/privileges.go b/pkg/privilege/privileges/privileges.go
@@ -678,6 +678,13 @@ func (p *UserPrivileges) ConnectionVerification(user *auth.UserIdentity, authUse
 		if err = p.authenticateWithPlugin(user, authentication, salt, sessionVars, authConn, authPlugin, pwd, record, hasPassword); err != nil {
 			return info, err
 		}
+	} else if record.AuthPlugin == mysql.AuthSocket {
+		if string(authentication) != authUser && string(authentication) != pwd {
+			logutil.BgLogger().Error("Failed socket auth", zap.String("authUser", authUser),
+				zap.String("socket_user", string(authentication)),
+				zap.String("authentication_string", pwd))
+			return info, ErrAccessDenied.FastGenByArgs(user.Username, user.Hostname, hasPassword)
+		}
 	} else if len(pwd) > 0 && len(authentication) > 0 {
 		switch record.AuthPlugin {
 		// NOTE: If the checking of the clear-text password fails, please set `info.FailedDueToWrongPassword = true`.