[MDEV-21194] mysql_install_db doesn't properly grant proxy privileges to all default root user accounts Created: 2019-12-02  Updated: 2023-09-19  Resolved: 2023-09-18

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Scripts & Clients
Affects Version/s: 10.2.29, 10.1.43, 10.3.20, 10.4.10
Fix Version/s: 10.4.32, 10.5.23, 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Daniel Black
Resolution: Fixed Votes: 0
Labels: None


 Description   

mysql_install_db is supposed to grant proxy privileges to the default root user accounts. However, it currently only does that for a subset of the default root user accounts. The specific user accounts depends on the specific version of MariaDB.

Here is the relevant code in all versions:

10.1 - https://github.com/MariaDB/server/blob/mariadb-10.1.43/scripts/mysql_system_tables_data.sql#L60
10.2 - https://github.com/MariaDB/server/blob/mariadb-10.2.29/scripts/mysql_system_tables_data.sql#L63
10.3 - https://github.com/MariaDB/server/blob/mariadb-10.3.20/scripts/mysql_system_tables_data.sql#L48
10.4 - https://github.com/MariaDB/server/blob/mariadb-10.4.10/scripts/mysql_system_tables_data.sql#L52

In 10.1, 10.2, and 10.3, it grants the proxy privilege to the following user accounts:

  • root@'localhost'
  • root@current_hostname

In 10.1, 10.2, and 10.3, this means that the following user accounts are missing the grant:

  • root@'127.0.0.1'
  • root@'::1'

In 10.4, it grants the proxy privilege to the following user accounts:

  • root@current_hostname

In 10.4, this means that the following user accounts are missing the grant:

  • root@'localhost'
  • root@'127.0.0.1'
  • root@'::1'

 Comments   
Comment by Oleksandr Byelkin [ 2022-06-27 ]

I see following in my db created by bootstrap:

select * from proxies_priv;
 
Host	User	Proxied_host	Proxied_user	With_grant	Grantor	Timestamp
 
localhost	root			1		2022-06-27 15:18:55
 
sanjaslaptop	root			1		2022-06-27 15:18:55

where sanjaslaptop my loptop.

it looks like what was done by the code:

CREATE TEMPORARY TABLE tmp_proxies_priv LIKE proxies_priv;
 
INSERT INTO tmp_proxies_priv SELECT @current_hostname, 'root', '', '', TRUE, '', now() FROM DUAL WHERE @current_hostname != 'localhost';
 
INSERT INTO  proxies_priv SELECT * FROM tmp_proxies_priv WHERE @had_proxies_priv_table=0;
 
DROP TABLE tmp_proxies_priv;

if above is wrong can you explain why?

Comment by Geoff Montee (Inactive) [ 2022-06-27 ]

Hi sanja,

In your output, you can see that mysql.proxies_priv has entries for root@localhost and root@sanjaslaptop, but not root@'127.0.0.1' or root@'::1'.

Comment by Daniel Black [ 2023-07-10 ]

It was also discovered that with the default --auth-root-authentication-method=socket as non-root user, this non-root user wasn't granted proxies privs.

Fix to both available on: https://github.com/MariaDB/server/pull/2690

Comment by Oleksandr Byelkin [ 2023-09-18 ]

"FROM DUAL" is not our style but I can live with this, otherwise it looks good to be pushed.

Generated at Thu Feb 08 09:05:17 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.