[#MDEV-30484] user@ip can query tables where user@'%' can access to.

create database sbtest;

use sbtest;

create table sbtest1 (id int);

insert into sbtest1 (id) values(1);

create table sbtest4 (id int);

insert into sbtest4 (id) values(1)

CREATE USER mtest@'%' IDENTIFIED BY 'Mtest1234!' ;

GRANT SELECT on sbtest.sbtest1 TO mtest@'%' ;

CREATE USER mtest@'x.x.x.x' IDENTIFIED BY 'Mtest5678!' ;

GRANT SELECT on sbtest.sbtest4 TO mtest@'x.x.x.x' ;

So user mtest@'x.x.x.x' can access to table sbtest.sbtest1 where
he have no permissiom.

MariaDB [mysql]> select * from tables_priv;

+------------+--------+-------------+-------------+-----------------+---------------------+---------------+-------------+

| Host       | Db     | User        | Table_name  | Grantor         | Timestamp           | Table_priv    | Column_priv |

+------------+--------+-------------+-------------+-----------------+---------------------+---------------+-------------+

| localhost  | mysql  | mariadb.sys | global_priv | root@localhost  | 0000-00-00 00:00:00 | Select,Delete |             |

| %          | sbtest | mtest       | sbtest1     | root@172.17.0.1 | 0000-00-00 00:00:00 | Select        |             |

| 172.17.0.1 | sbtest | mtest       | sbtest4     | root@172.17.0.1 | 0000-00-00 00:00:00 | Select        |             |

+------------+--------+-------------+-------------+-----------------+---------------------+---------------+-------------+

3 rows in set (0,001 sec)

MariaDB [(none)]> select user(), current_user() ;

+------------------+------------------+

| user()           | current_user()   |

+------------------+------------------+

| mtest@172.17.0.1 | mtest@172.17.0.1 |

+------------------+------------------+

1 row in set (0,000 sec)

MariaDB [(none)]> select * from sbtest.sbtest1;

+------+

| id   |

+------+

|    1 |

+------+

1 row in set (0,000 sec)

[MDEV-30484] user@ip can query tables where user@'%' can access to. Created: 2023-01-27 Updated: 2023-02-10 Resolved: 2023-01-27
Status:	Closed
Project:	MariaDB Server
Component/s:	Authentication and Privilege System
Affects Version/s:	10.3, 10.4, 10.5, 10.6
Fix Version/s:	N/A