[MDEV-22374] VIEW with security definer require FILE privilege from definer not invoker in case of INTO OUTFILE - Jira

Details

Type: Bug
Status: Stalled (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 5.5(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
Fix Version/s: 10.5, 10.6
Component/s: Views
Labels:
None

Description

create user test@localhost;

grant select on test.* to test@localhost;

create table t1 (a int);

create definer=test@localhost sql security definer view v1 as select * from t1;

--echo # check that ot works without view

--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from t1;

--echo # check that ot works without file

select * from v1;

--echo # rights for file should be taken from current user not view

--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select count(*) from v1) as dv1;

--echo # rights for file should be taken from current user not view

--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select * from v1) as dv1;

--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from v1;

--remove_file $MYSQL_TMP_DIR/test_out_txt

drop view v1;

drop table t1;

drop user test@localhost;

Attachments

Issue Links

is duplicated by

MDEV-28179 OUTFILE from mysql.user lead to an ERROR 1356 (HY000): View 'mysql.user' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them

Closed

relates to

MDEV-22378 load_data() always takes invoker FILE privileges in view

Open

Activity

Ascending order - Click to sort in descending order

Oleksandr Byelkin created issue - 2020-04-27 11:44

Oleksandr Byelkin made changes - 2020-04-27 11:44

Field	Original Value	New Value
Assignee		Oleksandr Byelkin [ sanja ]

Oleksandr Byelkin made changes - 2020-04-27 11:46

Component/s		Views [ 10111 ]
Fix Version/s		5.5 [ 15800 ]
Fix Version/s		10.1 [ 16100 ]
Fix Version/s		10.2 [ 14601 ]
Fix Version/s		10.3 [ 22126 ]
Fix Version/s		10.4 [ 22408 ]
Fix Version/s		10.5 [ 23123 ]

Oleksandr Byelkin made changes - 2020-04-27 11:48

Link

This issue relates to ~~MDEV-19650~~ [ ~~MDEV-19650~~ ]

Oleksandr Byelkin made changes - 2020-04-27 11:49

Issue Type

Task [ 3 ]

Bug [ 1 ]

Oleksandr Byelkin made changes - 2020-04-27 11:50

Affects Version/s		5.5 [ 15800 ]
Affects Version/s		10.1 [ 16100 ]
Affects Version/s		10.2 [ 14601 ]
Affects Version/s		10.3 [ 22126 ]
Affects Version/s		10.4 [ 22408 ]
Affects Version/s		10.5 [ 23123 ]

Oleksandr Byelkin made changes - 2020-04-27 11:51

Status

Open [ 1 ]

In Progress [ 3 ]

Oleksandr Byelkin made changes - 2020-04-27 15:22

Link

This issue relates to MDEV-22378 [ MDEV-22378 ]

Oleksandr Byelkin made changes - 2020-04-28 07:18

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Oleksandr Byelkin made changes - 2020-04-28 07:19

Assignee	Oleksandr Byelkin [ sanja ]	Sergei Golubchik [ serg ]
Status	Stalled [ 10000 ]	In Review [ 10002 ]

Oleksandr Byelkin added a comment - 2020-04-28 07:19

commit d08860b28f3645bb59275941e56d63bef7ea3e05 (HEAD ~~> bb-5.5~~MDEV-22374, origin/bb-5.5-MDEV-22374)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Tue Apr 28 09:16:33 2020 +0200

MDEV-22374: VIEW with security definer require FILE privilege from definer not invoker in case of INTO OUTFILE

Check INTO OUTFILE clause always from invoker.

Oleksandr Byelkin added a comment - 2020-04-28 07:19 commit d08860b28f3645bb59275941e56d63bef7ea3e05 (HEAD > bb-5.5 MDEV-22374 , origin/bb-5.5- MDEV-22374 ) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Tue Apr 28 09:16:33 2020 +0200 MDEV-22374 : VIEW with security definer require FILE privilege from definer not invoker in case of INTO OUTFILE Check INTO OUTFILE clause always from invoker.

Sergei Golubchik made changes - 2020-04-28 07:22

Priority

Major [ 3 ]

Critical [ 2 ]

Oleksandr Byelkin made changes - 2020-04-29 10:54

Link

This issue blocks ~~MDEV-19650~~ [ ~~MDEV-19650~~ ]

Sergei Golubchik made changes - 2020-05-04 14:29

Link

This issue relates to ~~MDEV-19650~~ [ ~~MDEV-19650~~ ]

Sergei Golubchik made changes - 2020-05-04 16:04

Status

In Review [ 10002 ]

Stalled [ 10000 ]

Sergei Golubchik made changes - 2020-05-06 09:57

Assignee

Sergei Golubchik [ serg ]

Oleksandr Byelkin [ sanja ]

Julien Fritsch made changes - 2020-05-11 07:13

Link

This issue blocks ~~MDEV-19650~~ [ ~~MDEV-19650~~ ]

Julien Fritsch made changes - 2020-07-22 16:29

Fix Version/s

5.5 [ 15800 ]

Julien Fritsch made changes - 2020-11-06 16:03

Fix Version/s

10.1 [ 16100 ]

Sergei Golubchik made changes - 2021-12-06 21:35

Workflow

MariaDB v3 [ 107792 ]

MariaDB v4 [ 143637 ]

Alice Sherepa made changes - 2021-12-07 11:30

Affects Version/s		10.6 [ 24028 ]
Affects Version/s		10.7 [ 24805 ]

Alice Sherepa made changes - 2021-12-07 11:30

Fix Version/s		10.6 [ 24028 ]
Fix Version/s		10.7 [ 24805 ]

Sergei Golubchik made changes - 2022-03-30 14:53

Link

This issue is duplicated by ~~MDEV-28179~~ [ ~~MDEV-28179~~ ]

Ralf Gebhardt made changes - 2022-08-04 08:40

Fix Version/s

10.2 [ 14601 ]

Julien Fritsch made changes - 2023-03-03 17:33

Fix Version/s

10.7 [ 24805 ]

Julien Fritsch made changes - 2023-04-27 13:51

Fix Version/s

10.3 [ 22126 ]

Julien Fritsch made changes - 2024-09-10 14:58

Fix Version/s

10.4 [ 22408 ]

Oleksandr Byelkin added a comment - 2024-09-30 13:37

> +create table t1 (a int);

> +create definer=test@localhost sql security definer view v1 as select * from t1;

> +# check that ot works without view

typo "it"

> +select * INTO OUTFILE '../..//tmp/test_out_txt' from t1;

> +# check that ot works without file

same

why "//" ?

> +select * from v1;

> +a

> +# rights for file should be taken from current user not view

> +select * INTO OUTFILE '../../tmp/test_out_txt' from (select count(*) from v1) as dv1;

> +select * INTO OUTFILE '../..//tmp/test_out_txt' from (select * from v1) as dv1;

> +select * INTO OUTFILE '../..//tmp/test_out_txt' from v1;

same

> +drop view v1;

please add reverse tests too:

+create sql security definer view v1 as select * from t1;

+connect(con1, localhost, test);

+error 1045;

+select * INTO OUTFILE '../..//tmp/test_out_txt' from t1;

+select * from v1;

+error 1045;

+select * INTO OUTFILE '../../tmp/test_out_txt' from (select count(*) from v1) as dv1;

+error 1045;

+select * INTO OUTFILE '../..//tmp/test_out_txt' from (select * from v1) as dv1;

+error 1045;

+select * INTO OUTFILE '../..//tmp/test_out_txt' from v1;

+connection default;

> +drop table t1;

> +drop user test@localhost;

> +# End of 5.5 tests

> diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc

> index ae5a6b4cd35..515990c879f 100644

> --- a/sql/sql_parse.cc

> +++ b/sql/sql_parse.cc

> @@ -2206,15 +2206,15 @@ mysql_execute_command(THD *thd)

>        lex->exchange != NULL implies SELECT .. INTO OUTFILE and this

>        requires FILE_ACL access.

>      */

> -    ulong privileges_requested= lex->exchange ? SELECT_ACL | FILE_ACL :

> -      SELECT_ACL;

> -

> -    if (all_tables)

> -      res= check_table_access(thd,

> -                              privileges_requested,

> -                              all_tables, FALSE, UINT_MAX, FALSE);

> -    else

> -      res= check_access(thd, privileges_requested, any_db, NULL, NULL, 0, 0);

> +    if (lex->exchange)

> +      res= check_access(thd, FILE_ACL, any_db, NULL, NULL, 0, 0);

> +    if (!res)

> +    {

> +      if (all_tables)

> +        res= check_table_access(thd, SELECT_ACL, all_tables, FALSE, UINT_MAX, FALSE);

> +      else

> +        res= check_access(thd, SELECT_ACL, any_db, NULL, NULL, 0, 0);

> +    }

No, I think this special check for a special SELECT ... INTO OUTFILE

case is wrong. Why does the server even checks global privileges via

views? It should not do it, I think, not for FILE not for any other

global or db level privilege. I'd try something like

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc

--- a/sql/sql_acl.cc

+++ b/sql/sql_acl.cc

@@ -4699,7 +4699,7 @@ bool check_grant(THD *thd, ulong want_access, TABLE_LIST >

       Save a copy of the privileges without the SHOW_VIEW_ACL attribute.

       It will be checked during making view.

*/

-    tl->grant.orig_want_privilege= (want_access & ~SHOW_VIEW_ACL);

+    tl->grant.orig_want_privilege= want_access & ~SHOW_VIEW_ACL & TABLE_ACLS;

   mysql_rwlock_rdlock(&LOCK_grant);

diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc

--- a/sql/sql_parse.cc

+++ b/sql/sql_parse.cc

@@ -5204,7 +5204,8 @@ check_table_access(THD *thd, ulong requirements,TABLE_LIS>

        Register access for view underlying table.

        Remove SHOW_VIEW_ACL, because it will be checked during making view

*/

-    table_ref->grant.orig_want_privilege= (want_access & ~SHOW_VIEW_ACL);

+    table_ref->grant.orig_want_privilege=

+      want_access & ~SHOW_VIEW_ACL & TABLE_ACLS;

     if (table_ref->schema_table_reformed)

Oleksandr Byelkin added a comment - 2024-09-30 13:37 > +create table t1 (a int); > +create definer=test@localhost sql security definer view v1 as select * from t1; > +# check that ot works without view typo "it" > +select * INTO OUTFILE '../..//tmp/test_out_txt' from t1; > +# check that ot works without file same why "//" ? > +select * from v1; > +a > +# rights for file should be taken from current user not view > +select * INTO OUTFILE '../../tmp/test_out_txt' from (select count(*) from v1) as dv1; > +select * INTO OUTFILE '../..//tmp/test_out_txt' from (select * from v1) as dv1; > +select * INTO OUTFILE '../..//tmp/test_out_txt' from v1; same > +drop view v1; please add reverse tests too: +create sql security definer view v1 as select * from t1; +connect(con1, localhost, test); +error 1045; +select * INTO OUTFILE '../..//tmp/test_out_txt' from t1; +select * from v1; +error 1045; +select * INTO OUTFILE '../../tmp/test_out_txt' from (select count(*) from v1) as dv1; +error 1045; +select * INTO OUTFILE '../..//tmp/test_out_txt' from (select * from v1) as dv1; +error 1045; +select * INTO OUTFILE '../..//tmp/test_out_txt' from v1; +connection default; > +drop table t1; > +drop user test@localhost; > +# End of 5.5 tests > diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc > index ae5a6b4cd35..515990c879f 100644 > --- a/sql/sql_parse.cc > +++ b/sql/sql_parse.cc > @@ -2206,15 +2206,15 @@ mysql_execute_command(THD *thd) > lex->exchange != NULL implies SELECT .. INTO OUTFILE and this > requires FILE_ACL access. > */ > - ulong privileges_requested= lex->exchange ? SELECT_ACL | FILE_ACL : > - SELECT_ACL; > - > - if (all_tables) > - res= check_table_access(thd, > - privileges_requested, > - all_tables, FALSE, UINT_MAX, FALSE); > - else > - res= check_access(thd, privileges_requested, any_db, NULL, NULL, 0, 0); > + if (lex->exchange) > + res= check_access(thd, FILE_ACL, any_db, NULL, NULL, 0, 0); > + if (!res) > + { > + if (all_tables) > + res= check_table_access(thd, SELECT_ACL, all_tables, FALSE, UINT_MAX, FALSE); > + else > + res= check_access(thd, SELECT_ACL, any_db, NULL, NULL, 0, 0); > + } No, I think this special check for a special SELECT ... INTO OUTFILE case is wrong. Why does the server even checks global privileges via views? It should not do it, I think, not for FILE not for any other global or db level privilege. I'd try something like diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -4699,7 +4699,7 @@ bool check_grant(THD *thd, ulong want_access, TABLE_LIST > Save a copy of the privileges without the SHOW_VIEW_ACL attribute. It will be checked during making view. */ - tl->grant.orig_want_privilege= (want_access & ~SHOW_VIEW_ACL); + tl->grant.orig_want_privilege= want_access & ~SHOW_VIEW_ACL & TABLE_ACLS; } mysql_rwlock_rdlock(&LOCK_grant); diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -5204,7 +5204,8 @@ check_table_access(THD *thd, ulong requirements,TABLE_LIS> Register access for view underlying table. Remove SHOW_VIEW_ACL, because it will be checked during making view */ - table_ref->grant.orig_want_privilege= (want_access & ~SHOW_VIEW_ACL); + table_ref->grant.orig_want_privilege= + want_access & ~SHOW_VIEW_ACL & TABLE_ACLS; if (table_ref->schema_table_reformed) {

People

Assignee:: Oleksandr Byelkin

Reporter:: Oleksandr Byelkin

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2020-04-27 11:44

Updated:: 2024-09-30 13:37

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration