[MDEV-24450] GRANT privileges does not work properly Created: 2020-12-18  Updated: 2021-02-15  Resolved: 2021-02-15

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 5.5
Fix Version/s: N/A

Type: Bug Priority: Critical
Reporter: Filip Beran Assignee: Unassigned
Resolution: Not a Bug Votes: 0
Labels: need_feedback
Environment:

5.5.68-MariaDB MariaDB Server
operating system: CentOS Linux release 7.9.2009 (Core)
package: mariadb-server.x86_64 1:5.5.68-1.el7


 Description    

+-----------------------------------------------------------------------------------------------------------+
 
| Grants for u1@localhost                                                                                   |
 
+-----------------------------------------------------------------------------------------------------------+
 
| GRANT USAGE ON *.* TO 'u1'@'localhost' IDENTIFIED BY PASSWORD '*15E297D3F78F9D76C6F45AE33FB6E74D335B52F2' |
 
| GRANT SELECT ON `testDB`.`myTable` TO 'u1'@'localhost'                                         |
 
+-----------------------------------------------------------------------------------------------------------+

User 'u1'@'localhost' defined above should have access only to the single table "myTable" in the db "testDB" and shoud be able to use only SELECT command.
Unfortunately such user have access to all existing dabases (except mysql, performance_schema) and can use any SQL command on all existing databases and their tables (even DROP TABLE and DROP DATABASE are allowed). This behaviour is quite strange and I suppose it is a security bug.

NOTE: I tried the same GRANT settings on 10.3.17-MariaDB MariaDB Server installed on CentOS Linux release 8.3.2011 and there everything works properly as I would expect. User have access only to the single table and can use only SELECT command.

 Comments   
Comment by Manuel Arostegui [ 2020-12-20 ]

So this only affects 5.5? (reminder: support for 5.5 finished around 8 months ago: https://mariadb.com/wp-content/uploads/2019/07/mariadb-engineering-policies-v2-01_policy_1036.pdf )

Comment by Filip Beran [ 2020-12-20 ]

Unfortunately I don't know what all versions are or can be affected. What I know, I have already wrote in the bug description above.
Thank you for url to Maintenance Policy information. I didn't have an idea about such event "End of Life" could pass for the MariaDB server v5.5. because the latest Centos7 version (Centos7.9) still uses in main default repository Mariadb 5.5 (v5.5.68).
In this situation I don't suppose any effort to identify and fix bug within an End of Life version.
I understand I'll need to upgrade into any newest MariaDB version.

Comment by Elena Stepanova [ 2021-01-12 ]

By default (unless you run "secure installation" or update mysql.db table manually) MariaDB allows all users to access all databases starting with test prefix. If all your databases have this prefix, this is likely the reason of the wide access.

Comment by Alice Sherepa [ 2021-01-13 ]

Beran Just in addition to Elena's answer, if this is the case - you could manually delete from mysql.db table the row about test_% db

Generated at Thu Feb 08 09:30:05 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.