[MDEV-5233] inconsistent check_access() - Jira

Sergei Golubchik created issue - 2013-11-04 14:16

Sergei Golubchik made changes - 2013-11-04 14:16

Field	Original Value	New Value
Link		This issue relates to ~~MDEV-5232~~ [ ~~MDEV-5232~~ ]

Sergei Golubchik made changes - 2013-11-04 14:25

Description

The {{check_access()}} function retrieves privileges like that
{code}
db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
db_is_pattern);
{code}

Note that it is using {{sctx->host}} and {{sctx->priv_user}} pair. This is wrong, they belong to different values — the first is the host part in the {{USER()}}, the second is the user part in {{CURRENT_USER()}}.

Which means, the following {{SELECT}} is allowed, while it shouldn't be:

The {{check_access()}} function retrieves privileges like that
{code}
db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
db_is_pattern);
{code}

Note that it is using {{sctx->host}} and {{sctx->priv_user}} pair. This is wrong, they belong to different values — the first is the host part in the {{USER()}}, the second is the user part in {{CURRENT_USER()}}.

See the following test case:
{code:sql}
create user c@localhost;
create user c;
grant select on mysql.* to c;
connect (c,localhost,c,,,,,);
select user(), current_user();
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c;
drop user c@localhost;
{code}
Note that {{SELECT}} is allowed, while it is granted to {{c@%}}, and we're connected as {{c@localhost}}. Which suggests wildcard matching for the purpose of privilege checking. On the other hand, if the test case above is modified as
{code:sql}
create user ''@localhost;
create user c;
grant select on mysql.* to c;
connect (c,localhost,c,,,,,);
select user(), current_user();
--error ER_TABLEACCESS_DENIED_ERROR
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c;
drop user ''@localhost;
{code}
then the {{SELECT}} will fail. De facto, wildcard matching works for host names, but not for user names. Which is inconsistent.

_Note: if this is to be fixed, all privilege checks should be analyzed and probably changed, including the one for {{SET ROLE}}_

Sergei Golubchik made changes - 2013-11-18 21:52

Fix Version/s		10.0.7 [ 14100 ]
Fix Version/s	10.0.6 [ 13202 ]

Sergei Golubchik made changes - 2013-12-11 16:38

Fix Version/s		10.0.8 [ 14200 ]
Fix Version/s	10.0.7 [ 14100 ]

Sergei Golubchik made changes - 2014-01-14 16:33

Description

The {{check_access()}} function retrieves privileges like that
{code}
db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
db_is_pattern);
{code}

Note that it is using {{sctx->host}} and {{sctx->priv_user}} pair. This is wrong, they belong to different values — the first is the host part in the {{USER()}}, the second is the user part in {{CURRENT_USER()}}.

See the following test case:
{code:sql}
create user c@localhost;
create user c;
grant select on mysql.* to c;
connect (c,localhost,c,,,,,);
select user(), current_user();
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c;
drop user c@localhost;
{code}
Note that {{SELECT}} is allowed, while it is granted to {{c@%}}, and we're connected as {{c@localhost}}. Which suggests wildcard matching for the purpose of privilege checking. On the other hand, if the test case above is modified as
{code:sql}
create user ''@localhost;
create user c;
grant select on mysql.* to c;
connect (c,localhost,c,,,,,);
select user(), current_user();
--error ER_TABLEACCESS_DENIED_ERROR
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c;
drop user ''@localhost;
{code}
then the {{SELECT}} will fail. De facto, wildcard matching works for host names, but not for user names. Which is inconsistent.

_Note: if this is to be fixed, all privilege checks should be analyzed and probably changed, including the one for {{SET ROLE}}_

The {{check_access()}} function retrieves privileges like that
{code}
db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
db_is_pattern);
{code}

Note that it is using {{sctx->host}} and {{sctx->priv_user}} pair. This is wrong, they belong to different values — the first is the host part in the {{USER()}}, the second is the user part in {{CURRENT_USER()}}.

See the following test case:
{code:sql}
create user c@localhost;
create user c@'%';
grant select on mysql.* to c@'%';
connect (c,localhost,c,,,,,);
select user(), current_user();
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c@'%';
drop user c@localhost;
{code}
Note that {{SELECT}} is allowed, while it is granted to {{c@%}}, and we're connected as {{c@localhost}}. Which suggests wildcard matching for the purpose of privilege checking. On the other hand, if the test case above is modified as
{code:sql}
create user ''@localhost;
create user c;
grant select on mysql.* to c;
connect (c,localhost,c,,,,,);
select user(), current_user();
--error ER_TABLEACCESS_DENIED_ERROR
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c;
drop user ''@localhost;
{code}
then the {{SELECT}} will fail. De facto, wildcard matching works for host names, but not for user names. Which is inconsistent.

_Note: if this is to be fixed, all privilege checks should be analyzed and probably changed, including the one for {{SET ROLE}}_

Sergei Golubchik made changes - 2014-01-14 16:35

Description

The {{check_access()}} function retrieves privileges like that
{code}
db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
db_is_pattern);
{code}

Note that it is using {{sctx->host}} and {{sctx->priv_user}} pair. This is wrong, they belong to different values — the first is the host part in the {{USER()}}, the second is the user part in {{CURRENT_USER()}}.

See the following test case:
{code:sql}
create user c@localhost;
create user c@'%';
grant select on mysql.* to c@'%';
connect (c,localhost,c,,,,,);
select user(), current_user();
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c@'%';
drop user c@localhost;
{code}
Note that {{SELECT}} is allowed, while it is granted to {{c@%}}, and we're connected as {{c@localhost}}. Which suggests wildcard matching for the purpose of privilege checking. On the other hand, if the test case above is modified as
{code:sql}
create user ''@localhost;
create user c;
grant select on mysql.* to c;
connect (c,localhost,c,,,,,);
select user(), current_user();
--error ER_TABLEACCESS_DENIED_ERROR
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c;
drop user ''@localhost;
{code}
then the {{SELECT}} will fail. De facto, wildcard matching works for host names, but not for user names. Which is inconsistent.

_Note: if this is to be fixed, all privilege checks should be analyzed and probably changed, including the one for {{SET ROLE}}_

The {{check_access()}} function retrieves privileges like that
{code}
db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
db_is_pattern);
{code}

Note that it is using {{sctx->host}} and {{sctx->priv_user}} pair. This is wrong, they belong to different values — the first is the host part in the {{USER()}}, the second is the user part in {{CURRENT_USER()}}.

See the following test case:
{code:sql}
create user c@localhost;
create user c@'%';
grant select on mysql.* to c@'%';
connect (c,localhost,c,,,,,);
select user(), current_user();
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c@'%';
drop user c@localhost;
{code}
Note that {{SELECT}} is allowed, while it is granted to {{c@%}}, and we're connected as {{c@localhost}}. Which suggests wildcard matching for the purpose of privilege checking. On the other hand, if the test case above is modified as
{code:sql}
create user ''@localhost;
create user c@'%';
grant select on mysql.* to c@'%';
connect (c,localhost,c,,,,,);
select user(), current_user();
--error ER_TABLEACCESS_DENIED_ERROR
select user from mysql.user group by user;
disconnect c;
connection default;
drop user c@'%';
drop user ''@localhost;
{code}
then the {{SELECT}} will fail. De facto, wildcard matching works for host names, but not for user names. Which is inconsistent.

_Note: if this is to be fixed, all privilege checks should be analyzed and probably changed, including the one for {{SET ROLE}}_

Sergei Golubchik made changes - 2014-01-14 17:10

Fix Version/s		10.0.9 [ 14400 ]
Fix Version/s	10.0.8 [ 14200 ]

Sergei Golubchik made changes - 2014-02-11 16:27

Assignee

Sergei Golubchik [ serg ]

Sergei Golubchik made changes - 2014-03-04 13:24

Fix Version/s		10.1.0 [ 12200 ]
Fix Version/s	10.0.9 [ 14400 ]

Sergei Golubchik made changes - 2014-06-13 15:06

Workflow

defaullt [ 29601 ]

MariaDB v2 [ 45025 ]

Sergei Golubchik made changes - 2014-06-24 16:53

Fix Version/s		10.1 [ 16100 ]
Fix Version/s	10.1.0 [ 12200 ]

Rasmus Johansson (Inactive) made changes - 2015-05-18 17:51

Workflow

MariaDB v2 [ 45025 ]

MariaDB v3 [ 65556 ]

Sergei Golubchik made changes - 2015-10-27 16:52

Fix Version/s		10.2 [ 14601 ]
Fix Version/s	10.1 [ 16100 ]

Sergei Golubchik made changes - 2015-11-17 17:31

Fix Version/s

10.2 [ 14601 ]

Elena Stepanova made changes - 2017-11-05 17:30

Fix Version/s

5.5 [ 15800 ]

Sergei Golubchik made changes - 2019-04-03 08:58

Fix Version/s		10.4 [ 22408 ]
Fix Version/s	5.5 [ 15800 ]

Sergei Golubchik made changes - 2020-04-23 12:37

Fix Version/s		10.6 [ 24028 ]
Fix Version/s	10.4 [ 22408 ]

Sergei Golubchik made changes - 2021-12-06 21:32

Workflow

MariaDB v3 [ 65556 ]

MariaDB v4 [ 139556 ]

MariaDB Server

inconsistent check_access()

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration