[MDEV-17751] Implement GRANT OPTION behavior that conforms to SQL standard Created: 2018-11-16  Updated: 2019-04-15

Status: Stalled
Project: MariaDB Server
Component/s: Authentication and Privilege System
Fix Version/s: None

Type: Task Priority: Major
Reporter: Muhammad Irfan Assignee: Sergei Golubchik
Resolution: Unresolved Votes: 0
Labels: None


 Description   

GRANT OPTION is not working as expected. Check below test case.

MariaDB [(none)]> GRANT SELECT ON mysql.* TO 'irfan'@'localhost' IDENTIFIED BY 'irfan' WITH GRANT OPTION;
 
Query OK, 0 rows affected (0.000 sec)
 
 
 
MariaDB [(none)]> GRANT UPDATE, REFERENCES ON mysql.* TO 'irfan'@'localhost';
 
Query OK, 0 rows affected (0.000 sec)
 
 
 
MariaDB [(none)]> SHOW GRANTS FOR 'irfan'@'localhost';
 
+--------------------------------------------------------------------------------------------------------------+
 
| Grants for irfan@localhost                                                                                   |
 
+--------------------------------------------------------------------------------------------------------------+
 
| GRANT USAGE ON *.* TO 'irfan'@'localhost' IDENTIFIED BY PASSWORD '*A0927C41A900C56A5D035EF05ED250A252A5421B' |
 
| GRANT SELECT, UPDATE, REFERENCES ON `mysql`.* TO 'irfan'@'localhost' WITH GRANT OPTION                       |
 
+--------------------------------------------------------------------------------------------------------------+
 
2 rows in set (0.000 sec)

So, at this point GRANT OPTION is only allocated to SELECT but it assigned to UPDATE, REFERENCES privilege too.

Let's verify If UPDATE, REFERENCES can be assigned to other user from assigned user.

$ mysql -uirfan -p -hlocalhost
 
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 26
 
Server version: 10.3.10-MariaDB Homebrew
 
 
 
MariaDB [(none)]> SELECT CURRENT_USER();
 
+-----------------+
 
| CURRENT_USER()  |
 
+-----------------+
 
| irfan@localhost |
 
+-----------------+
 
1 row in set (0.000 sec)
 
 
 
MariaDB [(none)]> GRANT SELECT ON mysql.* TO 'irfan1'@'localhost' IDENTIFIED BY 'irfan1';
 
Query OK, 0 rows affected (0.000 sec)
 
 
 
MariaDB [(none)]> GRANT UPDATE, REFERENCES ON mysql.* TO 'irfan1'@'localhost' IDENTIFIED BY 'irfan1';
 
Query OK, 0 rows affected (0.000 sec)

So, user can assign privileges which are not granted with GRANT OPTION i.e. UPDATE, REFERENCES

 Comments   
Comment by Sergei Golubchik [ 2018-11-18 ]

GRANT OPTION works exactly as designed and as documented. But unfortunately not as specified in the SQL standard. In MySQL and in MariaDB GRANT OPTION is a privilege not an option. If one is granted this privilege, she can grant anything that is granted on the same level, see https://mariadb.com/kb/en/library/grant/#the-grant-option-privilege

Comment by Muhammad Irfan [ 2018-11-19 ]

I converted it as Feature Request.

Generated at Thu Feb 08 08:38:50 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.