[MDEV-23237] mariadb.sys has too many privileges Created: 2020-07-20 Updated: 2021-09-05 Resolved: 2020-07-31 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Authentication and Privilege System |
| Affects Version/s: | 10.4.13 |
| Fix Version/s: | 10.4.14, 10.5.5 |
| Type: | Bug | Priority: | Blocker |
| Reporter: | Sergei Golubchik | Assignee: | Sergei Golubchik |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Description |
|
It should only have SELECT on mysql.global_priv, not UPDATE or DELETE. |
| Comments |
| Comment by Elena Stepanova [ 2020-07-20 ] |
|
I think DELETE is still very important for backward compatibility. There are many cases when removal of user accounts is more convenient through DELETE than it is through DROP USER – for example, when a set of accounts with certain characteristics needs to be removed, or when the server runs with skip-grant-tables, e.g. in "repair" mode; and while the right way nowadays to do it would be removing them from global_priv (and other privilege tables), certainly there are still lots of scripts out there in the world which do it through the old mysql.user. UPDATE, on the other hand, has very limited functionality when it's done through the view. So, while some users may use it still, losing it shouldn't be that critical. |
| Comment by Sergei Golubchik [ 2020-07-31 ] |
|
I only removed UPDATE |
| Comment by Otto Kekäläinen [ 2021-09-05 ] |
|
Note that commit https://github.com/MariaDB/server/commit/153cd6a27f1b798fea6dee3aecf3a95df561c6fa only applies to new installs. Existing MariaDB installations 10.4.13, 10.5.5 and earlier 10.4.x and 10.5.x still has a `mariadb.sys` user that also has UPDATE permissions. If we want upgrades to remove the UPDATE permission from `mariadb.sys`, an line that fixes the permissions should be added in mysql_system_tables_fix.sql |