Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5245

Audit plugin reveals user lists to unprivileged users

    XMLWordPrintable

Details

    Description

      It's not a bug from the coding perspective, but possibly a specification one, or at least a point for consideration.

      When server_audit_excl_users or server_audit_incl_users are configured, they (as other variables) are visible to any database user, even the least privileged ones. Thus a user gets access to other users' login names and audit settings which is probably not a good idea in production.

      At the moment I don't have any suggestions on how to make it better, I'm not sure if there are any mechanisms to hide a system variable contents from a user.

      Attachments

        Issue Links

          is part of

          Task - A task that needs to be done. MDEV-5983 Auditing plugin v2.0

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Task - A task that needs to be done. MDEV-4472 Auditing Plugin

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.