Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5245

Audit plugin reveals user lists to unprivileged users

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Stalled (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Fix Version/s: 10.4
    • Component/s: None
    • Labels:
      None

      Description

      It's not a bug from the coding perspective, but possibly a specification one, or at least a point for consideration.

      When server_audit_excl_users or server_audit_incl_users are configured, they (as other variables) are visible to any database user, even the least privileged ones. Thus a user gets access to other users' login names and audit settings which is probably not a good idea in production.

      At the moment I don't have any suggestions on how to make it better, I'm not sure if there are any mechanisms to hide a system variable contents from a user.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              holyfoot Alexey Botchkov
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.