[MDEV-13732] User with SELECT privilege can ALTER sequence - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3.1
Fix Version/s: 10.3.5
Component/s: Authentication and Privilege System, Sequences
Labels:
None

Description

A user with only the SELECT privilege cannot use NEXTVAL (understandably, which requires the INSERT privilege), but can ALTER the sequence.

SHOW GRANTS FOR CURRENT_USER();

+-----------------------------------------------------------------------------------------------------------+

| Grants for s@localhost                                                                                    |

+-----------------------------------------------------------------------------------------------------------+

| GRANT SELECT ON *.* TO 's'@'localhost' IDENTIFIED BY PASSWORD '*7B9EBEED26AA52ED10C0F549FA863F13C39E0209' |

+-----------------------------------------------------------------------------------------------------------+

1 row in set (0.000 sec)

SELECT NEXTVAL(s5);

ERROR 1142 (42000): INSERT command denied to user 's'@'localhost' for table 's5'

ALTER SEQUENCE s5 RESTART 50;

Query OK, 0 rows affected (0.000 sec)

Attachments

Issue Links

is part of

MDEV-10139 Support for SEQUENCE objects

Closed

relates to

MDEV-13717 Document permissions required to work with sequences

Closed

Activity

Ascending order - Click to sort in descending order

Ian Gilfillan created issue - 2017-09-04 11:58

Ian Gilfillan made changes - 2017-09-04 12:28

Field	Original Value	New Value
Link		This issue relates to ~~MDEV-13717~~ [ ~~MDEV-13717~~ ]

Elena Stepanova made changes - 2017-09-04 12:51

Component/s		Authentication and Privilege System [ 13101 ]
Fix Version/s		10.3 [ 22126 ]
Assignee		Michael Widenius [ monty ]

Michael Widenius made changes - 2017-09-04 14:56

Status

Open [ 1 ]

In Progress [ 3 ]

Michael Widenius added a comment - 2017-09-04 16:13 - edited

The bug is in privilege checking of sequences.

Michael Widenius added a comment - 2017-09-04 16:13 - edited The bug is in privilege checking of sequences.

Sergei Golubchik made changes - 2018-02-13 21:56

Priority

Major [ 3 ]

Critical [ 2 ]

Michael Widenius added a comment - 2018-02-14 14:44

Pushed into bb-10.2-ext.
Will be merged to 10.3 tree before next release

Michael Widenius added a comment - 2018-02-14 14:44 Pushed into bb-10.2-ext. Will be merged to 10.3 tree before next release

Michael Widenius made changes - 2018-02-14 14:44

Fix Version/s		10.3.5 [ 22905 ]
Fix Version/s	10.3 [ 22126 ]
Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Closed [ 6 ]

Michael Widenius made changes - 2018-03-21 18:37

Link

This issue is part of ~~MDEV-10139~~ [ ~~MDEV-10139~~ ]

Sergei Golubchik made changes - 2021-12-06 21:45

Workflow

MariaDB v3 [ 82398 ]

MariaDB v4 [ 152770 ]

People

Assignee:: Michael Widenius

Reporter:: Ian Gilfillan

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017-09-04 11:58

Updated:: 2018-08-31 15:47

Resolved:: 2018-02-14 14:44

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server