Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5245

Audit plugin reveals user lists to unprivileged users

    XMLWordPrintable

Details

    Description

      It's not a bug from the coding perspective, but possibly a specification one, or at least a point for consideration.

      When server_audit_excl_users or server_audit_incl_users are configured, they (as other variables) are visible to any database user, even the least privileged ones. Thus a user gets access to other users' login names and audit settings which is probably not a good idea in production.

      At the moment I don't have any suggestions on how to make it better, I'm not sure if there are any mechanisms to hide a system variable contents from a user.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.