Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37971

CHECK TABLE command can be executed by users with the table-level CREATE but not with global CREATE

    XMLWordPrintable

Details

    Description

      The CHECK TABLE command can be executed by users who only have the table-level CREATE or GRANT OPTION privilege.

      Steps to reproduce:
      1. Login as the root user:

      -- Create a database and a table
      		 
      CREATE DATABASE test;
      		 
      CREATE TABLE test.xxx (yyy INT);
      		 
       
      		 
      -- Create two new users and grant the GRANT OPTION privilege
      		 
      -- One for table-level (to reproduce the issue) and one for global-level (for comparison)
      		 
      CREATE USER table_level_priv;
      		 
      CREATE USER global_level_priv;
      		 
      GRANT CREATE, GRANT OPTION ON *.* TO global_level_priv;
      		 
      GRANT GRANT OPTION ON test.xxx TO table_level_priv;

      2. Login as the global_level_priv user. This user has the global CREATE and GRANT OPTION privilege, but cannot run the CHECK TABLE command:

      SHOW GRANTS;
      		 
      /*+-----------------------------------------------------------------+
      		 
        | Grants for global_level_priv@%                                  |
      		 
        +-----------------------------------------------------------------+
      		 
        | GRANT CREATE ON *.* TO `global_level_priv`@`%` WITH GRANT OPTION |
      		 
        +-----------------------------------------------------------------+*/
      		 
       
      		 
      CHECK TABLE test.xxx;
      		 
      -- ERROR 1142 (42000): SELECT command denied to user 'global_level_priv'@'localhost' for table 'xxx'

      3. Login as the table_level_priv user (the result seems inconsistent with the global-level user)

      SHOW GRANTS;
      		 
      /*+-------------------------------------------------------------------------+
      		 
        | Grants for table_level_priv@%                                           |
      		 
        +-------------------------------------------------------------------------+
      		 
        | GRANT USAGE ON *.* TO `table_level_priv`@`%`                            |
      		 
        | GRANT USAGE ON `test`.`xxx` TO `table_level_priv`@`%` WITH GRANT OPTION |
      		 
        +-------------------------------------------------------------------------+*/
      		 
      CHECK TABLE test.xxx;
      		 
      /*+----------+-------+----------+----------+
      		 
        | Table    | Op    | Msg_type | Msg_text |
      		 
        +----------+-------+----------+----------+
      		 
        | test.xxx | check | status   | OK       |
      		 
        +----------+-------+----------+----------+*/

      Attachments

        Activity

          People

            serg Sergei Golubchik
            fuboat Jingzhou Fu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.