[#MDEV-29752] SHOW GRANTS for PUBLIC should work for all users

[MDEV-29752] SHOW GRANTS for PUBLIC should work for all users Created: 2022-10-10 Updated: 2022-11-01 Resolved: 2022-10-10
Status:	Closed
Project:	MariaDB Server
Component/s:	Authentication and Privilege System
Affects Version/s:	10.11.0
Fix Version/s:	10.11.1

Type:

Bug

Priority:

Major

Reporter:

Vicențiu Ciorbaru

Assignee:

Vicențiu Ciorbaru

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

PartOf
is part of	~~MDEV-5215~~	Granted to PUBLIC	Closed

Description

MariaDB [(none)]> show grants;

+------------------------------------------------+

| Grants for developer@%                         |

+------------------------------------------------+

| GRANT USAGE ON *.* TO `developer`@`%`          |

| GRANT ALL PRIVILEGES ON `dev_db`.* TO `PUBLIC` |

+------------------------------------------------+

2 rows in set (0.000 sec)

MariaDB [(none)]> show grants for public;

ERROR 1044 (42000): Access denied for user 'developer'@'%' to database 'mysql'

Any user can see public's grants by running their own SHOW GRANTS command. This means that SHOW GRANTS FOR PUBLIC should also be allowed.

Comments

Comment by Oleksandr Byelkin [ 2022-10-10 ]

I tried to repeat and here it is:

create database dbtest;

create user `testuser`@`%`;

GRANT USAGE ON *.* TO `testuser`@`%`;

GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`;

connect  testuser,localhost,testuser,,;

show grants for public;

Grants for PUBLIC

GRANT ALL PRIVILEGES ON `dbtest`.* TO PUBLIC

show grants for testuser;

Grants for testuser@%

GRANT USAGE ON *.* TO `testuser`@`%`

connection default;

disconnect testuser;

REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`;

REVOKE USAGE ON *.* FROM `testuser`@`%`;

drop user `testuser`@`%`;

drop database dbtest;

test suite is here:

create database dbtest;

create user `testuser`@`%`;

GRANT USAGE ON *.* TO `testuser`@`%`;

GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`;

connect (testuser,localhost,testuser,,);

show grants for public;

show grants for testuser;

connection default;

disconnect testuser;

REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`;

REVOKE USAGE ON *.* FROM `testuser`@`%`;

drop user `testuser`@`%`;

drop database dbtest;

Comment by Vicențiu Ciorbaru [ 2022-10-10 ]

The bug is present in 85b939ae35c74d458916ff5b3f0da8045fc16522, which is the commit used for preview-10.11-preview release.

It was later fixed in a follow-up commit in bb-10.11-~~MDEV-5215~~ tree. The relevant change lies in sql_acl.cc get_show_user() function

-    do_check_access= strcmp(*rolename, sctx->priv_role);

+    do_check_access= !is_public(lex_user) && strcmp(*rolename, sctx->priv_role);

The test case was not present however, so it was added in bb-10.11-~~MDEV-5215~~ tree to prevent further regressions.

Generated at Thu Feb 08 10:11:01 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.