Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 10.0.4, 5.1.67, 5.2.14, 5.3.12, 5.5.33a
-
Fix Version/s: 10.1
-
Component/s: None
-
Labels:None
Description
The check_access() function retrieves privileges like that
db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
db_is_pattern);
Note that it is using sctx->host and sctx->priv_user pair. This is wrong, they belong to different values — the first is the host part in the USER(), the second is the user part in CURRENT_USER().
See the following test case:
create user c@localhost; create user c@'%'; grant select on mysql.* to c@'%'; connect (c,localhost,c,,,,,); select user(), current_user(); select user from mysql.user group by user; disconnect c; connection default; drop user c@'%'; drop user c@localhost;
Note that SELECT is allowed, while it is granted to c@%, and we're connected as c@localhost. Which suggests wildcard matching for the purpose of privilege checking. On the other hand, if the test case above is modified as
create user ''@localhost; create user c@'%'; grant select on mysql.* to c@'%'; connect (c,localhost,c,,,,,); select user(), current_user(); --error ER_TABLEACCESS_DENIED_ERROR select user from mysql.user group by user; disconnect c; connection default; drop user c@'%'; drop user ''@localhost;
then the SELECT will fail. De facto, wildcard matching works for host names, but not for user names. Which is inconsistent.
Note: if this is to be fixed, all privilege checks should be analyzed and probably changed, including the one for SET ROLE
Gliffy Diagrams
Attachments
Issue Links
- relates to
-
MDEV-5232 SET ROLE checks privileges differently from check_access()
-
- Closed
-
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions