[MDEV-9782] The "at" symbol (@) in user names breaks access to schemas Created: 2016-03-23  Updated: 2016-05-09  Resolved: 2016-05-09

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.1.11, 10.1.13
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Igor Pashev Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None

Issue Links:
Duplicate
duplicates MDEV-9614 Roles and Users longer than 6 characters Closed

 Description   

Default roles is set.

MariaDB [(none)]> show grants for foo;
 
+---------------------------------------------+
 
| Grants for foo@%                            |
 
+---------------------------------------------+
 
| GRANT all_ph TO 'foo'@'%'                   |
 
| GRANT USAGE ON *.* TO 'foo'@'%' REQUIRE SSL |
 
+---------------------------------------------+
 
2 rows in set (0.00 sec)
 
 
 
MariaDB [(none)]> show grants for 'foo@bar';
 
+-------------------------------------+
 
| Grants for foo@bar@%                |
 
+-------------------------------------+
 
| GRANT all_ph TO 'foo@bar'@'%'       |
 
| GRANT USAGE ON *.* TO 'foo@bar'@'%' |
 
+-------------------------------------+
 
2 rows in set (0.00 sec)

1. You can't set default database (unless you have some DB-level privilege):

(Wed, 23 Mar 2016 20:59:54 +0800)
 
[pashev@cat:~]
 
# mysql -ufoo bob_live_ph
 
Reading table information for completion of table and column names
 
You can turn off this feature to get a quicker startup with -A
 
 
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 156
 
Server version: 10.1.11-MariaDB MariaDB Server
 
 
 
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [bob_live_ph]> Bye
 
 
 
(Wed, 23 Mar 2016 21:00:32 +0800)
 
[pashev@cat:~]
 
# mysql -u'foo@bar' bob_live_ph
 
ERROR 1044 (42000): Access denied for user 'foo@bar'@'%' to database 'bob_live_ph'

2. You can't list databases you have any privilege on:

(Wed, 23 Mar 2016 21:00:40 +0800)
 
[pashev@cat:~]
 
# mysql -u'foo@bar' -e 'show databases'
 
+--------------------+
 
| Database           |
 
+--------------------+
 
| information_schema |
 
+--------------------+
 
 
 
(Wed, 23 Mar 2016 21:01:43 +0800)
 
[pashev@cat:~]
 
# mysql -u'foo' -e 'show databases'
 
+--------------------+
 
| Database           |
 
+--------------------+
 
| bob_live_au        |
 
| bob_live_hk        |
 
| bob_live_id        |
 
| bob_live_ph        |
 
| bob_live_sg        |
 
| bob_live_tw        |
 
| information_schema |
 
| oms_live_id        |
 
| oms_live_ph        |
 
| oms_live_sg        |
 
+--------------------+

According to https://mariadb.com/kb/en/mariadb/identifier-names/, @ (U+0040) is a valid character.

Use case: email addresses as logins



 Comments   
Comment by Igor Pashev [ 2016-04-11 ]

Now I'm not sure the problem is in @:

mysql> show databases;
 
+--------------------+
 
| Database           |
 
+--------------------+
 
| information_schema |
 
+--------------------+
 
1 row in set (0,26 sec)
 
 
 
mysql> select count(1) from `bob_live_th`.`catalog_simple`;
 
+----------+
 
| count(1) |
 
+----------+
 
|   911170 |
 
+----------+
 
1 row in set (0,25 sec)
 
 
 
mysql> use bob_live_th;
 
ERROR 1044 (42000): Access denied for user 'gideon_voucher_retreival'@'%' to database 'bob_live_th'
 
mysql> show tables in bob_live_th;
 
ERROR 1044 (42000): Access denied for user 'gideon_voucher_retreival'@'%' to database 'bob_live_th'
 
mysql>

Comment by Igor Pashev [ 2016-04-11 ]

It's MDEV-9614!

Generated at Thu Feb 08 07:37:17 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.