Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.0.4, 5.1.67, 5.2.14, 5.3.12, 5.5.33a
-
None
-
None
Description
The check_access() function retrieves privileges like that
db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
|
db_is_pattern);
|
Note that it is using sctx->host and sctx->priv_user pair. This is wrong, they belong to different values — the first is the host part in the USER(), the second is the user part in CURRENT_USER().
See the following test case:
create user c@localhost; |
create user c@'%'; |
grant select on mysql.* to c@'%'; |
connect (c,localhost,c,,,,,); |
select user(), current_user(); |
select user from mysql.user group by user; |
disconnect c;
|
connection default; |
drop user c@'%'; |
drop user c@localhost; |
Note that SELECT is allowed, while it is granted to c@%, and we're connected as c@localhost. Which suggests wildcard matching for the purpose of privilege checking. On the other hand, if the test case above is modified as
create user ''@localhost; |
create user c@'%'; |
grant select on mysql.* to c@'%'; |
connect (c,localhost,c,,,,,); |
select user(), current_user(); |
--error ER_TABLEACCESS_DENIED_ERROR
|
select user from mysql.user group by user; |
disconnect c;
|
connection default; |
drop user c@'%'; |
drop user ''@localhost; |
then the SELECT will fail. De facto, wildcard matching works for host names, but not for user names. Which is inconsistent.
Note: if this is to be fixed, all privilege checks should be analyzed and probably changed, including the one for SET ROLE
Attachments
Issue Links
- relates to
-
-
- Closed
-