Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29752

SHOW GRANTS for PUBLIC should work for all users

Details

    Description

      MariaDB [(none)]> show grants;
      		 
      +------------------------------------------------+
      		 
      | Grants for developer@%                         |
      		 
      +------------------------------------------------+
      		 
      | GRANT USAGE ON *.* TO `developer`@`%`          |
      		 
      | GRANT ALL PRIVILEGES ON `dev_db`.* TO `PUBLIC` |
      		 
      +------------------------------------------------+
      		 
      2 rows in set (0.000 sec)
      		 
       
      		 
      MariaDB [(none)]> show grants for public;
      		 
      ERROR 1044 (42000): Access denied for user 'developer'@'%' to database 'mysql'

      Any user can see public's grants by running their own SHOW GRANTS command. This means that SHOW GRANTS FOR PUBLIC should also be allowed.

      Attachments

        Issue Links

          is part of

          Task - A task that needs to be done. MDEV-5215 Granted to PUBLIC

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            sanja Oleksandr Byelkin added a comment -

            I tried to repeat and here it is:

            create database dbtest;
            		 
            create user `testuser`@`%`;
            		 
            GRANT USAGE ON *.* TO `testuser`@`%`;
            		 
            GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`;
            		 
            connect  testuser,localhost,testuser,,;
            		 
            show grants for public;
            		 
            Grants for PUBLIC
            		 
            GRANT ALL PRIVILEGES ON `dbtest`.* TO PUBLIC
            		 
            show grants for testuser;
            		 
            Grants for testuser@%
            		 
            GRANT USAGE ON *.* TO `testuser`@`%`
            		 
            connection default;
            		 
            disconnect testuser;
            		 
            REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`;
            		 
            REVOKE USAGE ON *.* FROM `testuser`@`%`;
            		 
            drop user `testuser`@`%`;
            		 
            drop database dbtest;

            test suite is here:

            create database dbtest;
            		 
            create user `testuser`@`%`;
            		 
             
            		 
            GRANT USAGE ON *.* TO `testuser`@`%`;
            		 
            GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`;
            		 
             
            		 
            connect (testuser,localhost,testuser,,);
            		 
             
            		 
            show grants for public;
            		 
            show grants for testuser;
            		 
             
            		 
            connection default;
            		 
            disconnect testuser;
            		 
             
            		 
            REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`;
            		 
            REVOKE USAGE ON *.* FROM `testuser`@`%`;
            		 
            drop user `testuser`@`%`;
            		 
            drop database dbtest;

            sanja Oleksandr Byelkin added a comment - I tried to repeat and here it is: create database dbtest; create user `testuser`@`%`; GRANT USAGE ON *.* TO `testuser`@`%`; GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`; connect testuser,localhost,testuser,,; show grants for public; Grants for PUBLIC GRANT ALL PRIVILEGES ON `dbtest`.* TO PUBLIC show grants for testuser; Grants for testuser@% GRANT USAGE ON *.* TO `testuser`@`%` connection default; disconnect testuser; REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`; REVOKE USAGE ON *.* FROM `testuser`@`%`; drop user `testuser`@`%`; drop database dbtest; test suite is here: create database dbtest; create user `testuser`@`%`;   GRANT USAGE ON *.* TO `testuser`@`%`; GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`;   connect (testuser,localhost,testuser,,);   show grants for public; show grants for testuser;   connection default; disconnect testuser;   REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`; REVOKE USAGE ON *.* FROM `testuser`@`%`; drop user `testuser`@`%`; drop database dbtest;
            cvicentiu Vicențiu Ciorbaru added a comment - - edited

            The bug is present in 85b939ae35c74d458916ff5b3f0da8045fc16522, which is the commit used for preview-10.11-preview release.

            It was later fixed in a follow-up commit in bb-10.11-MDEV-5215 tree. The relevant change lies in sql_acl.cc get_show_user() function

            -    do_check_access= strcmp(*rolename, sctx->priv_role);
            		 
            +    do_check_access= !is_public(lex_user) && strcmp(*rolename, sctx->priv_role);

            The test case was not present however, so it was added in bb-10.11-MDEV-5215 tree to prevent further regressions.

            cvicentiu Vicențiu Ciorbaru added a comment - - edited The bug is present in 85b939ae35c74d458916ff5b3f0da8045fc16522, which is the commit used for preview-10.11-preview release. It was later fixed in a follow-up commit in bb-10.11- MDEV-5215 tree. The relevant change lies in sql_acl.cc get_show_user() function - do_check_access= strcmp(*rolename, sctx->priv_role); + do_check_access= !is_public(lex_user) && strcmp(*rolename, sctx->priv_role); The test case was not present however, so it was added in bb-10.11- MDEV-5215 tree to prevent further regressions.

            People

              cvicentiu Vicențiu Ciorbaru
              cvicentiu Vicențiu Ciorbaru
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.