Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36380

User has unauthorized access to a sequence through a view with security invoker

Details

    Description

      Unauthorized access to the sequence

      		 
      create database db;
      		 
      use db;
      		 
      create sequence s;
      		 
      create sql security invoker view v as select nextval(s);
      		 
      create user u@localhost;
      		 
      grant select on db.v to u@localhost;
      		 
       
      		 
      --connect (con1,localhost,u,,db)
      		 
      --error ER_TABLEACCESS_DENIED_ERROR
      		 
      select nextval(s);
      		 
      --error ER_VIEW_INVALID
      		 
      select * from v;
      		 
       
      		 
      --disconnect con1
      		 
      --connection default
      		 
      drop database db;
      		 
      drop user u@localhost;

      The expected result would be (as coded in the test case) that SELECT from the view fails with "View 'db.v' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them" or some kind of access denied error; instead, it succeeds;

      main ab468e33aff110b44a31ce0350894906ff4bc757

      		 
      mysqltest: At line 12: query 'select * from v' succeeded - should have failed with error ER_VIEW_INVALID (1356)...

      If we use a stored function instead of a sequence in an otherwise identical test case, it works as expected – SELECT from the view fails:

      OK with a function instead of a sequence

      		 
      create database db;
      		 
      use db;
      		 
      create function f() returns int return 1;
      		 
      create sql security invoker view v as select f();
      		 
      create user u@localhost;
      		 
      grant select on db.v to u@localhost;
      		 
       
      		 
      --connect (con1,localhost,u,,db)
      		 
      --error ER_PROCACCESS_DENIED_ERROR
      		 
      select f();
      		 
      --error ER_VIEW_INVALID
      		 
      select * from v;
      		 
       
      		 
      --disconnect con1
      		 
      --connection default
      		 
      drop database db;
      		 
      drop user u@localhost;

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-36280 ALTER TABLE require ALTER privilege on sequence from DEFAULT value expression

          • Critical - Crashes, loss of data, severe memory leak.
          • In Review

          Bug - A problem which impairs or prevents the functions of the product. MDEV-36413 User without any privileges to a sequence can read from it and modify it via column default

          • Blocker - Blocks development and/or testing work, production could not run.
          • Open

          Activity

            Ascending order - Click to sort in descending order
            elenst Elena Stepanova created issue -
            serg Sergei Golubchik made changes -
            Field Original Value New Value
            Assignee Sergei Golubchik [ serg ] Michael Widenius [ monty ]
            serg Sergei Golubchik made changes -
            Priority Major [ 3 ] Critical [ 2 ]
            serg Sergei Golubchik made changes -
            Priority Critical [ 2 ] Blocker [ 1 ]
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            Fix Version/s 10.5 [ 23123 ]
            Fix Version/s 10.6 [ 24028 ]

            People

              monty Michael Widenius
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.