mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-18 04:53:01 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
mariadb/mysql-test/t/sp-security.test
unknown 55171821d2 Bug#10246 - Parser: bad syntax for GRANT EXECUTE 
Rename some functions
  more fine-grained sp privileges
  make grant/revoke sp grammar less ambigious


mysql-test/r/sp-security.result:
  change test for new syntax
mysql-test/r/system_mysql_db.result:
  change test for new syntax
mysql-test/t/sp-security.test:
  change test for new syntax
scripts/mysql_create_system_tables.sh:
  now store routine_type for procs_priv
scripts/mysql_fix_privilege_tables.sql:
  now store routine_type for procs_priv
sql/item_func.cc:
  rename of function
sql/mysql_priv.h:
  rename of function
sql/sp_head.cc:
  extra arg for check_some_routine_access
sql/sql_acl.cc:
  rename of function. now handle func/proc acls seperately
sql/sql_acl.h:
  rename of function
sql/sql_parse.cc:
  rename of function
  grants for procs handled distinctly from funcs
sql/sql_show.cc:
  check_some_routine_access extra arg
sql/sql_base.cc:
  fix for build
sql/sql_yacc.yy:
  fix for build
2005-05-17 19:54:20 +01:00

306 lines
6.4 KiB
Text
Raw Blame History

#
# Testing SQL SECURITY of stored procedures
#
# Can't test with embedded server that doesn't support grants
-- source include/not_embedded.inc
connect (con1root,localhost,root,,);
connection con1root;
use test;
# Create user user1 with no particular access rights
grant usage on *.* to user1@localhost;
flush privileges;
--disable_warnings
drop database if exists db1_secret;
--enable_warnings
# Create our secret database
create database db1_secret;
# Can create a procedure in other db
create procedure db1_secret.dummy() begin end;
drop procedure db1_secret.dummy;
use db1_secret;
create table t1 ( u varchar(64), i int );
# A test procedure and function
create procedure stamp(i int)
insert into db1_secret.t1 values (user(), i);
--replace_column 5 '0000-00-00 00:00:00' 6 '0000-00-00 00:00:00'
show procedure status like 'stamp';
create function db() returns varchar(64) return database();
--replace_column 5 '0000-00-00 00:00:00' 6 '0000-00-00 00:00:00'
show function status like 'db';
# root can, of course
call stamp(1);
select * from t1;
select db();
grant execute on procedure db1_secret.stamp to user1@'%';
grant execute on function db1_secret.db to user1@'%';
grant execute on procedure db1_secret.stamp to ''@'%';
grant execute on function db1_secret.db to ''@'%';
connect (con2user1,localhost,user1,,);
connect (con3anon,localhost,anon,,);
#
# User1 can
#
connection con2user1;
# This should work...
call db1_secret.stamp(2);
select db1_secret.db();
# ...but not this
--error 1142
select * from db1_secret.t1;
# ...and not this
--error 1044
create procedure db1_secret.dummy() begin end;
--error 1305
drop procedure db1_secret.dummy;
#
# Anonymous can
#
connection con3anon;
# This should work...
call db1_secret.stamp(3);
select db1_secret.db();
# ...but not this
--error 1142
select * from db1_secret.t1;
# ...and not this
--error 1044
create procedure db1_secret.dummy() begin end;
--error 1305
drop procedure db1_secret.dummy;
#
# Check it out
#
connection con1root;
select * from t1;
#
# Change to invoker's rights
#
alter procedure stamp sql security invoker;
--replace_column 5 '0000-00-00 00:00:00' 6 '0000-00-00 00:00:00'
show procedure status like 'stamp';
alter function db sql security invoker;
--replace_column 5 '0000-00-00 00:00:00' 6 '0000-00-00 00:00:00'
show function status like 'db';
# root still can
call stamp(4);
select * from t1;
select db();
#
# User1 cannot
#
connection con2user1;
# This should not work
--error 1044
call db1_secret.stamp(5);
--error 1044
select db1_secret.db();
#
# Anonymous cannot
#
connection con3anon;
# This should not work
--error 1044
call db1_secret.stamp(6);
--error 1044
select db1_secret.db();
#
# BUG#2777
#
connection con1root;
--disable_warnings
drop database if exists db2;
--enable_warnings
create database db2;
use db2;
create table t2 (s1 int);
insert into t2 values (0);
grant usage on db2.* to user1@localhost;
grant select on db2.* to user1@localhost;
grant usage on db2.* to user2@localhost;
grant select,insert,update,delete,create routine on db2.* to user2@localhost;
grant create routine on db2.* to user1@localhost;
flush privileges;
connection con2user1;
use db2;
create procedure p () insert into t2 values (1);
# Check that this doesn't work.
--error 1142
call p();
connect (con4user2,localhost,user2,,);
connection con4user2;
use db2;
# This should not work, since p is executed with definer's (user1's) rights.
--error 1370
call p();
select * from t2;
create procedure q () insert into t2 values (2);
call q();
select * from t2;
connection con1root;
grant usage on procedure db2.q to user2@localhost with grant option;
connection con4user2;
grant execute on procedure db2.q to user1@localhost;
connection con2user1;
use db2;
# This should work
call q();
select * from t2;
#
# BUG#6030: Stored procedure has no appropriate DROP privilege
# (or ALTER for that matter)
# still connection con2user1 in db2
# This should work:
alter procedure p modifies sql data;
drop procedure p;
# This should NOT work
--error 1370
alter procedure q modifies sql data;
--error 1370
drop procedure q;
connection con1root;
use db2;
# But root always can
alter procedure q modifies sql data;
drop procedure q;
# Clean up
#Still connection con1root;
disconnect con2user1;
disconnect con3anon;
disconnect con4user2;
use test;
select type,db,name from mysql.proc;
drop database db1_secret;
drop database db2;
# Make sure the routines are gone
select type,db,name from mysql.proc;
# Get rid of the users
delete from mysql.user where user='user1' or user='user2';
# And any routine privileges
delete from mysql.procs_priv where user='user1' or user='user2';
#
# Test the new security acls
#
grant usage on *.* to usera@localhost;
grant usage on *.* to userb@localhost;
grant usage on *.* to userc@localhost;
create database sptest;
create table t1 ( u varchar(64), i int );
create procedure sptest.p1(i int) insert into test.t1 values (user(), i);
grant insert on t1 to usera@localhost;
grant execute on procedure sptest.p1 to usera@localhost;
show grants for usera@localhost;
grant execute on procedure sptest.p1 to userc@localhost with grant option;
show grants for userc@localhost;
connect (con2usera,localhost,usera,,);
connect (con3userb,localhost,userb,,);
connect (con4userc,localhost,userc,,);
connection con2usera;
call sptest.p1(1);
--error 1370
grant execute on procedure sptest.p1 to userb@localhost;
--error 1370
drop procedure sptest.p1;
connection con3userb;
--error 1370
call sptest.p1(2);
--error 1370
grant execute on procedure sptest.p1 to userb@localhost;
--error 1370
drop procedure sptest.p1;
connection con4userc;
call sptest.p1(3);
grant execute on procedure sptest.p1 to userb@localhost;
--error 1370
drop procedure sptest.p1;
connection con3userb;
call sptest.p1(4);
--error 1370
grant execute on procedure sptest.p1 to userb@localhost;
--error 1370
drop procedure sptest.p1;
connection con1root;
select * from t1;
grant all privileges on procedure sptest.p1 to userc@localhost;
show grants for userc@localhost;
show grants for userb@localhost;
connection con4userc;
revoke all privileges on procedure sptest.p1 from userb@localhost;
connection con1root;
show grants for userb@localhost;
#cleanup
disconnect con4userc;
disconnect con3userb;
disconnect con2usera;
use test;
drop database sptest;
delete from mysql.user where user='usera' or user='userb' or user='userc';
delete from mysql.procs_priv where user='usera' or user='userb' or user='userc';
Reference in a new issue View git blame Copy permalink