Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
12.2.1
-
None
-
Ubuntu 22.04 x86-64, docker image mariadb:12.2.1-rc
Description
Description:
In current MariaDB, a user with CREATE privilege as well as SELECT privileges on only a specific column of a source table can execute CREATE TABLE ... LIKE to create a copy of the entire table structure.
This allows the user to discover the existence and data types of columns they are not authorized to access.
Steps to Reproduce:
-- Login as user root
|
CREATE TABLE ori (c1 INT, c2 INT); |
CREATE USER foo; |
-- Grant table level create, and column level select
|
GRANT CREATE ON new TO foo; |
GRANT SELECT(c1) ON ori TO foo; |
|
|
-- Login as user foo
|
CREATE TABLE new LIKE ori; |
SHOW CREATE TABLE new; |
Expected Result:
The CREATE TABLE ... LIKE statement should fail with an access denied error regarding column c2, similar to:
"ERROR 1143 (42000): SELECT command denied to user 'foo'@'...' for column 'c2' in table 'ori'"
Actual Result:
The query succeeds ("Query OK"). The user can then run "SHOW CREATE TABLE new" to see the definition of c2, which they should not have access to.
MariaDB [test]> CREATE TABLE new LIKE ori;
|
Query OK, 0 rows affected (0.001 sec)
|
|
|
MariaDB [test]> SHOW CREATE TABLE new;
|
+-------+-----------------------------------------------------------------------------------------------------------------------------------------------------+
|
| Table | Create Table |
|
+-------+-----------------------------------------------------------------------------------------------------------------------------------------------------+
|
| new | CREATE TABLE `new` (
|
`c1` int(11) DEFAULT NULL,
|
`c2` int(11) DEFAULT NULL
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_uca1400_ai_ci |
|
+-------+-----------------------------------------------------------------------------------------------------------------------------------------------------+
|