Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17751

Implement GRANT OPTION behavior that conforms to SQL standard

    XMLWordPrintable

Details

    Description

      GRANT OPTION is not working as expected. Check below test case.

      MariaDB [(none)]> GRANT SELECT ON mysql.* TO 'irfan'@'localhost' IDENTIFIED BY 'irfan' WITH GRANT OPTION;
      		 
      Query OK, 0 rows affected (0.000 sec)
      		 
       
      		 
      MariaDB [(none)]> GRANT UPDATE, REFERENCES ON mysql.* TO 'irfan'@'localhost';
      		 
      Query OK, 0 rows affected (0.000 sec)
      		 
       
      		 
      MariaDB [(none)]> SHOW GRANTS FOR 'irfan'@'localhost';
      		 
      +--------------------------------------------------------------------------------------------------------------+
      		 
      | Grants for irfan@localhost                                                                                   |
      		 
      +--------------------------------------------------------------------------------------------------------------+
      		 
      | GRANT USAGE ON *.* TO 'irfan'@'localhost' IDENTIFIED BY PASSWORD '*A0927C41A900C56A5D035EF05ED250A252A5421B' |
      		 
      | GRANT SELECT, UPDATE, REFERENCES ON `mysql`.* TO 'irfan'@'localhost' WITH GRANT OPTION                       |
      		 
      +--------------------------------------------------------------------------------------------------------------+
      		 
      2 rows in set (0.000 sec)

      So, at this point GRANT OPTION is only allocated to SELECT but it assigned to UPDATE, REFERENCES privilege too.

      Let's verify If UPDATE, REFERENCES can be assigned to other user from assigned user.

      $ mysql -uirfan -p -hlocalhost
      		 
      Enter password: 
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      		 
      Your MariaDB connection id is 26
      		 
      Server version: 10.3.10-MariaDB Homebrew
      		 
       
      		 
      MariaDB [(none)]> SELECT CURRENT_USER();
      		 
      +-----------------+
      		 
      | CURRENT_USER()  |
      		 
      +-----------------+
      		 
      | irfan@localhost |
      		 
      +-----------------+
      		 
      1 row in set (0.000 sec)
      		 
       
      		 
      MariaDB [(none)]> GRANT SELECT ON mysql.* TO 'irfan1'@'localhost' IDENTIFIED BY 'irfan1';
      		 
      Query OK, 0 rows affected (0.000 sec)
      		 
       
      		 
      MariaDB [(none)]> GRANT UPDATE, REFERENCES ON mysql.* TO 'irfan1'@'localhost' IDENTIFIED BY 'irfan1';
      		 
      Query OK, 0 rows affected (0.000 sec)

      So, user can assign privileges which are not granted with GRANT OPTION i.e. UPDATE, REFERENCES

      Attachments

        Activity

          People

            serg Sergei Golubchik
            muhammad.irfan Muhammad Irfan
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.