MDEV-29465: Inherited columns privs for roles wrongly set mysql.tables_priv column

There was a bug in the ACL internal data structures GRANT_TABLE and GRANT_COLUMN. The semantics are: GRANT_TABLE::init_cols and GRANT_COLUMN::init_privs represent the bits that correspond to the privilege bits stored in the physical tables. The other struct members GRANT_TABLE::cols and GRANT_COLUMN::privs represent the actual access bits, as they may be modified through role grants. The error in logic was mixing the two fields and thus we ended up storing the logical access bits in the physical tables, instead of the physical (init_xxx) bits. This caused subsequent DBUG_ASSERT failures when dropping the involved roles.
2025-03-26 08:58:40 +01:00 · 2022-09-05 13:15:16 +03:00 · 2022-09-05 13:15:16 +03:00 · 145932a57b
commit 145932a57b
parent d7aefc0fab
3 changed files with 90 additions and 9 deletions
--- a/mysql-test/suite/roles/roles_tables_priv-29465.result
+++ b/mysql-test/suite/roles/roles_tables_priv-29465.result
@ -0,0 +1,36 @@
+create user foo;
+create database some_db;
+create table some_db.t1 (a int, b int, secret int);
+create role r_select_column;
+create role r_active_column;
+grant r_select_column to r_active_column;
+grant r_active_column to foo;
+grant select(a) on some_db.t1 to r_select_column;
+select * from mysql.tables_priv order by user;
+Host	Db	User	Table_name	Grantor	Timestamp	Table_priv	Column_priv
+	some_db	r_select_column	t1	root@localhost	0000-00-00 00:00:00		Select
+grant insert(a) on some_db.t1 to r_active_column;
+select * from mysql.tables_priv order by user;
+Host	Db	User	Table_name	Grantor	Timestamp	Table_priv	Column_priv
+	some_db	r_active_column	t1	root@localhost	0000-00-00 00:00:00		Insert
+	some_db	r_select_column	t1	root@localhost	0000-00-00 00:00:00		Select
+connect  con1, localhost, foo,,;
+insert into some_db.t1(a) values (1);
+ERROR 42000: INSERT command denied to user 'foo'@'localhost' for table 't1'
+set role r_active_column;
+insert into some_db.t1(a) values (1);
+disconnect con1;
+connection default;
+revoke insert(a) on some_db.t1 from r_active_column;
+connect  con1, localhost, foo,,;
+insert into some_db.t1(a) values (1);
+ERROR 42000: INSERT command denied to user 'foo'@'localhost' for table 't1'
+set role r_active_column;
+insert into some_db.t1(a) values (1);
+ERROR 42000: INSERT command denied to user 'foo'@'localhost' for table 't1'
+disconnect con1;
+connection default;
+drop role r_select_column;
+drop role r_active_column;
+drop user foo;
+drop database some_db;
--- a/mysql-test/suite/roles/roles_tables_priv-29465.test
+++ b/mysql-test/suite/roles/roles_tables_priv-29465.test
@ -0,0 +1,40 @@
+--source include/not_embedded.inc
+
+create user foo;
+create database some_db;
+create table some_db.t1 (a int, b int, secret int);
+
+create role r_select_column;
+create role r_active_column;
+grant r_select_column to r_active_column;
+grant r_active_column to foo;
+
+grant select(a) on some_db.t1 to r_select_column;
+select * from mysql.tables_priv order by user;
+grant insert(a) on some_db.t1 to r_active_column;
+select * from mysql.tables_priv order by user;
+
+--connect (con1, localhost, foo,,)
+--error ER_TABLEACCESS_DENIED_ERROR
+insert into some_db.t1(a) values (1);
+set role r_active_column;
+insert into some_db.t1(a) values (1);
+disconnect con1;
+
+connection default;
+revoke insert(a) on some_db.t1 from r_active_column;
+
+--connect (con1, localhost, foo,,)
+--error ER_TABLEACCESS_DENIED_ERROR
+insert into some_db.t1(a) values (1);
+set role r_active_column;
+--error ER_TABLEACCESS_DENIED_ERROR
+insert into some_db.t1(a) values (1);
+disconnect con1;
+
+connection default;
+
+drop role r_select_column;
+drop role r_active_column;
+drop user foo;
+drop database some_db;
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -4813,7 +4813,7 @@ GRANT_NAME::GRANT_NAME(const char *h, const char *d,const char *u,

 GRANT_TABLE::GRANT_TABLE(const char *h, const char *d,const char *u,
                	 const char *t, ulong p, ulong c)
-  :GRANT_NAME(h,d,u,t,p, FALSE), cols(c)
+  :GRANT_NAME(h,d,u,t,p, FALSE), cols(c), init_cols(c)
 {
  init_hash();
 }
@ -6636,11 +6636,15 @@ int mysql_table_grant(THD *thd, TABLE_LIST *table_list,
      /* Fix old grants */
      while ((column = column_iter++))
      {
-	grant_column = column_hash_search(grant_table,
-					  column->column.ptr(),
-					  column->column.length());
-	if (grant_column)
-	  grant_column->rights&= ~(column->rights | rights);
+        grant_column = column_hash_search(grant_table,
+                                          column->column.ptr(),
+                                          column->column.length());
+        if (grant_column)
+        {
+          grant_column->init_rights&= ~(column->rights | rights);
+          // If this is a role, rights will need to be reconstructed.
+          grant_column->rights= grant_column->init_rights;
+        }
      }
      /* scan trough all columns to get new column grant */
      column_priv= 0;
@ -6648,13 +6652,14 @@ int mysql_table_grant(THD *thd, TABLE_LIST *table_list,
      {
        grant_column= (GRANT_COLUMN*)
          my_hash_element(&grant_table->hash_columns, idx);
-	grant_column->rights&= ~rights;		// Fix other columns
-	column_priv|= grant_column->rights;
+        grant_column->init_rights&= ~rights;  // Fix other columns
+        grant_column->rights= grant_column->init_rights;
+        column_priv|= grant_column->init_rights;
      }
    }
    else
    {
-      column_priv|= grant_table->cols;
+      column_priv|= grant_table->init_cols;
    }