[MDEV-18123] Users with SUPER get DELETE HISTORY privilege after upgrading Created: 2019-01-02  Updated: 2019-03-16  Resolved: 2019-03-16

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Documentation
Affects Version/s: 10.3.11
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Todd Coker (Inactive) Assignee: Ian Gilfillan
Resolution: Fixed Votes: 0
Labels: None
Environment:

CentOS 6.10


 Description   

After upgrading from MariaDB 10.2.21 to MariaDB 10.3.11 users with the SUPER privilege acquire the DELETE HISTORY (aka DELETE VERSIONING ROWS) privilege.

State prior to upgrade:

MariaDB [(none)]> select @@version;
 
+-----------------+
 
| @@version       |
 
+-----------------+
 
| 10.2.21-MariaDB |
 
+-----------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [(none)]> GRANT SUPER ON *.* to 'testuser'@'localhost' identified by 'Password123';
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
MariaDB [(none)]> show grants for 'testuser'@'localhost';
 
+-----------------------------------------------------------------------------------------------------------------+
 
| Grants for testuser@localhost                                                                                   |
 
+-----------------------------------------------------------------------------------------------------------------+
 
| GRANT SUPER ON *.* TO 'testuser'@'localhost' IDENTIFIED BY PASSWORD '*B867055C61BEA33BAB533EF0900D1B193FBE6844' |
 
+-----------------------------------------------------------------------------------------------------------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [(none)]>

Steps used to perform upgrade:

service mysql stop
 
rpm -qa |grep MariaDB |xargs rpm -e --nodeps
 
sed -i 's/10.2/10.3/' /etc/yum.repos.d/mariadb.repo
 
yum clean all
 
yum check-update
 
yum install MariaDB-server -y
 
service mysql start

After restarting but before mysql_upgrade, user still has the correct permissions:

MariaDB [(none)]> select @@version;
 
+-----------------+
 
| @@version       |
 
+-----------------+
 
| 10.3.11-MariaDB |
 
+-----------------+
 
1 row in set (0.000 sec)
 
 
 
MariaDB [(none)]> show grants for 'testuser'@'localhost';
 
+-----------------------------------------------------------------------------------------------------------------+
 
| Grants for testuser@localhost                                                                                   |
 
+-----------------------------------------------------------------------------------------------------------------+
 
| GRANT SUPER ON *.* TO 'testuser'@'localhost' IDENTIFIED BY PASSWORD '*B867055C61BEA33BAB533EF0900D1B193FBE6844' |
 
+-----------------------------------------------------------------------------------------------------------------+
 
1 row in set (0.005 sec)

Following mysql_upgrade, the additional privilege appears:

[root@dev ~]# mysql_upgrade
 
Phase 1/7: Checking and upgrading mysql database
 
Processing databases
 
mysql
 
mysql.column_stats                                 OK
 
mysql.columns_priv                                 OK
 
mysql.db                                           OK
 
mysql.event                                        OK
 
mysql.func                                         OK
 
mysql.gtid_slave_pos                               OK
 
mysql.help_category                                OK
 
mysql.help_keyword                                 OK
 
mysql.help_relation                                OK
 
mysql.help_topic                                   OK
 
mysql.host                                         OK
 
mysql.index_stats                                  OK
 
mysql.innodb_index_stats                           OK
 
mysql.innodb_table_stats                           OK
 
mysql.plugin                                       OK
 
mysql.proc                                         OK
 
mysql.procs_priv                                   OK
 
mysql.proxies_priv                                 OK
 
mysql.roles_mapping                                OK
 
mysql.servers                                      OK
 
mysql.table_stats                                  OK
 
mysql.tables_priv                                  OK
 
mysql.time_zone                                    OK
 
mysql.time_zone_leap_second                        OK
 
mysql.time_zone_name                               OK
 
mysql.time_zone_transition                         OK
 
mysql.time_zone_transition_type                    OK
 
mysql.user                                         OK
 
Phase 2/7: Installing used storage engines... Skipped
 
Phase 3/7: Fixing views
 
Phase 4/7: Running 'mysql_fix_privilege_tables'
 
Phase 5/7: Fixing table and database names
 
Phase 6/7: Checking and upgrading tables
 
Processing databases
 
information_schema
 
performance_schema
 
test
 
Phase 7/7: Running 'FLUSH PRIVILEGES'
 
OK
 
 
 
 
 
MariaDB [(none)]> show grants for 'testuser'@'localhost';
 
+-----------------------------------------------------------------------------------------------------------------------------------------+
 
| Grants for testuser@localhost                                                                                                           |
 
+-----------------------------------------------------------------------------------------------------------------------------------------+
 
| GRANT SUPER, DELETE VERSIONING ROWS ON *.* TO 'testuser'@'localhost' IDENTIFIED BY PASSWORD '*B867055C61BEA33BAB533EF0900D1B193FBE6844' |
 
+-----------------------------------------------------------------------------------------------------------------------------------------+
 
1 row in set (0.000 sec)



 Comments   
Comment by Elena Stepanova [ 2019-01-02 ]

It appears to be an intentional change:

commit 6ba06cf763a72b5b812fd7eadc076fdf31910c56
 
Author: Monty <monty@mariadb.org>
 
Date:   Wed Feb 7 02:39:40 2018 +0200
 
 
 
    On upgrade Truncate_versioning_privilege was not correct set
 
    
    Fixed that Truncate_versioning_privilege works as any other privilege
 
    during upgrade:
 
    
    - If the privilege field does not exists, add it to the user and db tables.
 
      If the user had super_privilege then the user will also get the new
 
      Truncate_versioning_privilege.
 
    
    This is done to ensure that if one has GRANT ALL PRIVILEGE before, one
 
    will continue to have it after running mysql_upgrade.
 
    
    This also fixes a bug where the Truncate_versioning_privilege

Truncate versioning was later renamed, but the logic itself remains.
It needs to be documented.

Comment by Ian Gilfillan [ 2019-03-16 ]

Mentioned on

Generated at Thu Feb 08 08:41:40 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.