[MDEV-40116] Incorrect privilege handling in column-level DENY SELECT also hides accessible columns from information_schema.COLUMNS - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 13.1
Fix Version/s: 13.1.1
Component/s: Authentication and Privilege System
Labels:
None

Bug Category:
Not for Release Notes
Sprint:
Q3/2026 Server Maintenance

Description

MDEV-14443 CS 13.1.0 41d3dbb0311e8e45b1d23df535959017c7ba17f1 (Debug, Clang 18.1.3-11) Build 18/06/2026
Session 1

13.1.0-dbg>CREATE DATABASE d1;
Query OK, 1 row affected (0.001 sec)

13.1.0-dbg>CREATE TABLE d1.t1 (a INT, b INT, c INT, KEY(a));
Query OK, 0 rows affected (0.015 sec)

13.1.0-dbg>INSERT INTO d1.t1 VALUES (1,2,3);
Query OK, 1 row affected (0.002 sec)

13.1.0-dbg>CREATE USER u@localhost;
Query OK, 0 rows affected (0.002 sec)

13.1.0-dbg>GRANT SELECT ON d1.t1 TO u@localhost;
Query OK, 0 rows affected (0.001 sec)

13.1.0-dbg>DENY SELECT (b) ON d1.t1 TO u@localhost;
Query OK, 0 rows affected (0.001 sec)

13.1.0-dbg>FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.001 sec)

13.1.0-dbg>

Session 2

MariaDB [d1]> SELECT a, c FROM d1.t1;
+------+------+
\| a \| c \|
+------+------+
\| 1 \| 3 \|
+------+------+
1 row in set (0.001 sec)

MariaDB [d1]> SELECT * FROM d1.t1;
ERROR 1143 (42000): SELECT command denied to user 'u'@'localhost' for column 'b' in table 't1'
MariaDB [d1]>
MariaDB [d1]> SHOW COLUMNS FROM d1.t1;
ERROR 1142 (42000): SELECT command denied to user 'u'@'localhost' for table `d1`.`t1`
MariaDB [d1]>
MariaDB [d1]> DESC d1.t1;
ERROR 1142 (42000): SELECT command denied to user 'u'@'localhost' for table `d1`.`t1`
MariaDB [d1]> SHOW INDEX FROM d1.t1;
ERROR 1142 (42000): SELECT command denied to user 'u'@'localhost' for table `d1`.`t1`
MariaDB [d1]> SHOW CREATE TABLE d1.t1;
ERROR 1142 (42000): SHOW command denied to user 'u'@'localhost' for table `d1`.`t1`
MariaDB [d1]> SELECT COUNT(*) AS visible_columns FROM information_schema.COLUMNS
-> WHERE TABLE_SCHEMA='d1' AND TABLE_NAME='t1';
+-----------------+
\| visible_columns \|
+-----------------+
\| 0 \|
+-----------------+
1 row in set (0.001 sec)

MariaDB [d1]>

MTR Test

CREATE DATABASE d1;

CREATE TABLE d1.t1 (a INT, b INT, c INT, KEY(a));

INSERT INTO d1.t1 VALUES (1,2,3);

CREATE USER u@localhost;

GRANT SELECT ON d1.t1 TO u@localhost;

DENY SELECT (b) ON d1.t1 TO u@localhost;

FLUSH PRIVILEGES;

connect (p, localhost, u,, d1);

SELECT a, c FROM d1.t1;

# all metadata is wrongly denied

--error ER_TABLEACCESS_DENIED_ERROR

SHOW COLUMNS FROM d1.t1;

--error ER_TABLEACCESS_DENIED_ERROR

DESC d1.t1;

--error ER_TABLEACCESS_DENIED_ERROR

SHOW INDEX FROM d1.t1;

--error ER_TABLEACCESS_DENIED_ERROR

SHOW CREATE TABLE d1.t1;

# information_schema.COLUMNS shows the user ZERO columns (expected a,c):

SELECT COUNT(*) AS visible_columns FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='d1' AND TABLE_NAME='t1';

connection default;

disconnect p;

DROP USER u@localhost;

DROP DATABASE d1;

Attachments

Issue Links

is caused by

MDEV-14443 DENY clause for access control a.k.a. "negative grants"

In Testing

Activity

People

Assignee:: Vladislav Vaintroub

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 1 week ago 10:58

Updated:: 3 days ago 11:00

Resolved:: 1 week ago 21:18

Time Tracking

Estimated:

Remaining:

Logged:

5.5h

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.