[MDEV-13732] User with SELECT privilege can ALTER sequence Created: 2017-09-04  Updated: 2018-08-31  Resolved: 2018-02-14

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Sequences
Affects Version/s: 10.3.1
Fix Version/s: 10.3.5

Type: Bug Priority: Critical
Reporter: Ian Gilfillan Assignee: Michael Widenius
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
PartOf
is part of MDEV-10139 Support for SEQUENCE objects Closed
Relates
relates to MDEV-13717 Document permissions required to work... Closed

 Description   

A user with only the SELECT privilege cannot use NEXTVAL (understandably, which requires the INSERT privilege), but can ALTER the sequence. 

SHOW GRANTS FOR CURRENT_USER();
 
+-----------------------------------------------------------------------------------------------------------+
 
| Grants for s@localhost                                                                                    |
 
+-----------------------------------------------------------------------------------------------------------+
 
| GRANT SELECT ON *.* TO 's'@'localhost' IDENTIFIED BY PASSWORD '*7B9EBEED26AA52ED10C0F549FA863F13C39E0209' |
 
+-----------------------------------------------------------------------------------------------------------+
 
1 row in set (0.000 sec)
 
 
 
SELECT NEXTVAL(s5);
 
ERROR 1142 (42000): INSERT command denied to user 's'@'localhost' for table 's5'
 
 
 
ALTER SEQUENCE s5 RESTART 50;
 
Query OK, 0 rows affected (0.000 sec)



 Comments   
Comment by Michael Widenius [ 2017-09-04 ]

The bug is in privilege checking of sequences.

Comment by Michael Widenius [ 2018-02-14 ]

Pushed into bb-10.2-ext.
Will be merged to 10.3 tree before next release

Generated at Thu Feb 08 08:07:55 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.