Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28151

Behaviour of permission checks when creating views with a definer other than yourself

    XMLWordPrintable

Details

    Description

      When a view that accesses a table is created by a user that has the SET USER (or SUPER) permission, the current permission checks are a little illogical.

      In general, when creating a view (that uses a table), then the user needs:

      • CREATE VIEW
      • SELECT / UPDATE / INSERT on any columns selected by the view
      • SELECT on columns used elsewhere

      This generally works well, as while you can create a view that you can't then read from, you would be able to update or insert data via that view (as long as it was writeable).

      However, when you are setting the definer to a different user; at create time your permissions are checked despite that they will not be relevant again. Could it be considered that in this case, the SELECT/INSERT/UPDATE permissions of the definer are checked instead of the current user (while CREATE VIEW & SET USER remains being checked against the current user). This would bring views in line with how setting a different definer works for routines / events / triggers.

      To add a bit of context for how this request would be useful, then we have permission sets for different developers on the server which allow access to data based on how sensitive it is. There are some tables where SELECT access has to be manually requested from their manager due to GDPR as it contains sensitive customer data. While SET USER allows developers who have the permission to gain higher access via malicious stored procedures or similar, then DDL statements can be logged (allowing this to be identified).

      One of the developers who had SET USER was trying to copy a view defined by a system account to a second location (where the system account would still be able to access the view/underlying tables). In this case, the developer didn't need to see the data at any point, and after creating the view still wouldn't be able to see the data (as they couldn't run select on the view). However the relevant system account would then be able to make use of the view in the new location.

      Attachments

        Activity

          People

            Unassigned Unassigned
            rmhumphries Robert Humphries
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.