Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Not a Bug
-
5.5
-
5.5.68-MariaDB MariaDB Server
operating system: CentOS Linux release 7.9.2009 (Core)
package: mariadb-server.x86_64 1:5.5.68-1.el7
Description
+-----------------------------------------------------------------------------------------------------------+
|
| Grants for u1@localhost |
|
+-----------------------------------------------------------------------------------------------------------+
|
| GRANT USAGE ON *.* TO 'u1'@'localhost' IDENTIFIED BY PASSWORD '*15E297D3F78F9D76C6F45AE33FB6E74D335B52F2' |
|
| GRANT SELECT ON `testDB`.`myTable` TO 'u1'@'localhost' |
|
+-----------------------------------------------------------------------------------------------------------+
|
User 'u1'@'localhost' defined above should have access only to the single table "myTable" in the db "testDB" and shoud be able to use only SELECT command.
Unfortunately such user have access to all existing dabases (except mysql, performance_schema) and can use any SQL command on all existing databases and their tables (even DROP TABLE and DROP DATABASE are allowed). This behaviour is quite strange and I suppose it is a security bug.
NOTE: I tried the same GRANT settings on 10.3.17-MariaDB MariaDB Server installed on CentOS Linux release 8.3.2011 and there everything works properly as I would expect. User have access only to the single table and can use only SELECT command.