[MDEV-19088] SUPER is not required for ALTER FUNCTION when log_bin_trust_function_creators=OFF and log_bin=ON Created: 2019-03-29  Updated: 2023-12-04

Status: Open
Project: MariaDB Server
Component/s: Authentication and Privilege System, Data Definition - Procedure, PL/SQL, Stored routines
Affects Version/s: 10.1.38
Fix Version/s: 10.4

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: None


 Description   

The documentation says that SUPER should be required for ALTER FUNCTION when log_bin_trust_function_creators=OFF and log_bin=ON:

https://mariadb.com/kb/en/library/alter-function/

https://mariadb.com/kb/en/library/binary-logging-of-stored-routines/

https://mariadb.com/kb/en/library/replication-and-binary-log-system-variables/#log_bin_trust_function_creators

But a quick test shows that this is not the case.

For example, if I create a function as a user with SUPER:

CREATE FUNCTION trust_me(x INT)
 
RETURNS INT
 
DETERMINISTIC
 
READS SQL DATA
 
   RETURN (x);

And then create a user with the ALTER ROUTINE privilege, but without SUPER:

CREATE USER 'function_test'@localhost IDENTIFIED BY 'password';
 
GRANT ALTER ROUTINE ON db1.* TO 'function_test'@localhost;

And then ensure that both log_bin_trust_function_creators=OFF and log_bin=ON:

MariaDB [db1]> SHOW GLOBAL VARIABLES WHERE Variable_name IN('log_bin_trust_function_creators', 'log_bin');
 
+---------------------------------+-------+
 
| Variable_name                   | Value |
 
+---------------------------------+-------+
 
| log_bin                         | ON    |
 
| log_bin_trust_function_creators | OFF   |
 
+---------------------------------+-------+
 
2 rows in set (0.01 sec)

You would think that this user would not be able to alter the function. But a test shows that the user can:

MariaDB [db1]> ALTER FUNCTION trust_me NO SQL;
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
MariaDB [db1]> SHOW GRANTS;
 
+----------------------------------------------------------------------------------------------------------------------+
 
| Grants for function_test@localhost                                                                                   |
 
+----------------------------------------------------------------------------------------------------------------------+
 
| GRANT USAGE ON *.* TO 'function_test'@'localhost' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
 
| GRANT ALTER ROUTINE ON `db1`.* TO 'function_test'@'localhost'                                                        |
 
+----------------------------------------------------------------------------------------------------------------------+
 
2 rows in set (0.00 sec)

Code analysis shows that the Sp_handler::sp_update_routine does not check SUPER_ACL like Sp_handler::sp_create_routine does.

sp_create_routine check:

https://github.com/MariaDB/server/blob/8cf7e3459d7309ce122824146260c4aecfa6ca77/sql/sp.cc#L1397

sp_update_routine check:

https://github.com/MariaDB/server/blob/8cf7e3459d7309ce122824146260c4aecfa6ca77/sql/sp.cc#L1632
Generated at Thu Feb 08 08:48:58 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.