mirror of
https://github.com/MariaDB/server.git
synced 2025-01-21 06:22:28 +01:00
cdfe77e2ec
The problem was that databases with '_' in the name did not match a correct ACL with a literal '_' (i.e. '\_') in the db name, only identical strings matched. The fix makes this work, and also ACLs with wildcards in the db name work.
286 lines
10 KiB
Text
286 lines
10 KiB
Text
use test;
|
|
grant usage on *.* to user1@localhost;
|
|
flush privileges;
|
|
drop table if exists t1;
|
|
drop database if exists db1_secret;
|
|
create database db1_secret;
|
|
create procedure db1_secret.dummy() begin end;
|
|
drop procedure db1_secret.dummy;
|
|
use db1_secret;
|
|
create table t1 ( u varchar(64), i int );
|
|
create procedure stamp(i int)
|
|
insert into db1_secret.t1 values (user(), i);
|
|
show procedure status like 'stamp';
|
|
Db Name Type Definer Modified Created Security_type Comment
|
|
db1_secret stamp PROCEDURE root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 DEFINER
|
|
create function db() returns varchar(64) return database();
|
|
show function status like 'db';
|
|
Db Name Type Definer Modified Created Security_type Comment
|
|
db1_secret db FUNCTION root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 DEFINER
|
|
call stamp(1);
|
|
select * from t1;
|
|
u i
|
|
root@localhost 1
|
|
select db();
|
|
db()
|
|
db1_secret
|
|
grant execute on procedure db1_secret.stamp to user1@'%';
|
|
grant execute on function db1_secret.db to user1@'%';
|
|
grant execute on procedure db1_secret.stamp to ''@'%';
|
|
grant execute on function db1_secret.db to ''@'%';
|
|
call db1_secret.stamp(2);
|
|
select db1_secret.db();
|
|
db1_secret.db()
|
|
db1_secret
|
|
select * from db1_secret.t1;
|
|
ERROR 42000: SELECT command denied to user 'user1'@'localhost' for table 't1'
|
|
create procedure db1_secret.dummy() begin end;
|
|
ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret'
|
|
drop procedure db1_secret.dummy;
|
|
ERROR 42000: PROCEDURE db1_secret.dummy does not exist
|
|
call db1_secret.stamp(3);
|
|
select db1_secret.db();
|
|
db1_secret.db()
|
|
db1_secret
|
|
select * from db1_secret.t1;
|
|
ERROR 42000: SELECT command denied to user ''@'localhost' for table 't1'
|
|
create procedure db1_secret.dummy() begin end;
|
|
ERROR 42000: Access denied for user ''@'localhost' to database 'db1_secret'
|
|
drop procedure db1_secret.dummy;
|
|
ERROR 42000: PROCEDURE db1_secret.dummy does not exist
|
|
select * from t1;
|
|
u i
|
|
root@localhost 1
|
|
user1@localhost 2
|
|
anon@localhost 3
|
|
alter procedure stamp sql security invoker;
|
|
show procedure status like 'stamp';
|
|
Db Name Type Definer Modified Created Security_type Comment
|
|
db1_secret stamp PROCEDURE root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 INVOKER
|
|
alter function db sql security invoker;
|
|
show function status like 'db';
|
|
Db Name Type Definer Modified Created Security_type Comment
|
|
db1_secret db FUNCTION root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 INVOKER
|
|
call stamp(4);
|
|
select * from t1;
|
|
u i
|
|
root@localhost 1
|
|
user1@localhost 2
|
|
anon@localhost 3
|
|
root@localhost 4
|
|
select db();
|
|
db()
|
|
db1_secret
|
|
call db1_secret.stamp(5);
|
|
ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret'
|
|
select db1_secret.db();
|
|
ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret'
|
|
call db1_secret.stamp(6);
|
|
ERROR 42000: Access denied for user ''@'localhost' to database 'db1_secret'
|
|
select db1_secret.db();
|
|
ERROR 42000: Access denied for user ''@'localhost' to database 'db1_secret'
|
|
drop database if exists db2;
|
|
create database db2;
|
|
use db2;
|
|
create table t2 (s1 int);
|
|
insert into t2 values (0);
|
|
grant usage on db2.* to user1@localhost;
|
|
grant select on db2.* to user1@localhost;
|
|
grant usage on db2.* to user2@localhost;
|
|
grant select,insert,update,delete,create routine on db2.* to user2@localhost;
|
|
grant create routine on db2.* to user1@localhost;
|
|
flush privileges;
|
|
use db2;
|
|
create procedure p () insert into t2 values (1);
|
|
call p();
|
|
ERROR 42000: INSERT command denied to user 'user1'@'localhost' for table 't2'
|
|
use db2;
|
|
call p();
|
|
ERROR 42000: execute command denied to user 'user2'@'localhost' for routine 'db2.p'
|
|
select * from t2;
|
|
s1
|
|
0
|
|
create procedure q () insert into t2 values (2);
|
|
call q();
|
|
select * from t2;
|
|
s1
|
|
0
|
|
2
|
|
grant usage on procedure db2.q to user2@localhost with grant option;
|
|
grant execute on procedure db2.q to user1@localhost;
|
|
use db2;
|
|
call q();
|
|
select * from t2;
|
|
s1
|
|
0
|
|
2
|
|
2
|
|
alter procedure p modifies sql data;
|
|
drop procedure p;
|
|
alter procedure q modifies sql data;
|
|
ERROR 42000: alter routine command denied to user 'user1'@'localhost' for routine 'db2.q'
|
|
drop procedure q;
|
|
ERROR 42000: alter routine command denied to user 'user1'@'localhost' for routine 'db2.q'
|
|
use db2;
|
|
alter procedure q modifies sql data;
|
|
drop procedure q;
|
|
use test;
|
|
select type,db,name from mysql.proc;
|
|
type db name
|
|
FUNCTION db1_secret db
|
|
PROCEDURE db1_secret stamp
|
|
drop database db1_secret;
|
|
drop database db2;
|
|
select type,db,name from mysql.proc;
|
|
type db name
|
|
delete from mysql.user where user='user1' or user='user2';
|
|
delete from mysql.procs_priv where user='user1' or user='user2';
|
|
grant usage on *.* to usera@localhost;
|
|
grant usage on *.* to userb@localhost;
|
|
grant usage on *.* to userc@localhost;
|
|
create database sptest;
|
|
create table t1 ( u varchar(64), i int );
|
|
create procedure sptest.p1(i int) insert into test.t1 values (user(), i);
|
|
grant insert on t1 to usera@localhost;
|
|
grant execute on procedure sptest.p1 to usera@localhost;
|
|
show grants for usera@localhost;
|
|
Grants for usera@localhost
|
|
GRANT USAGE ON *.* TO 'usera'@'localhost'
|
|
GRANT INSERT ON `test`.`t1` TO 'usera'@'localhost'
|
|
GRANT EXECUTE ON PROCEDURE `sptest`.`p1` TO 'usera'@'localhost'
|
|
grant execute on procedure sptest.p1 to userc@localhost with grant option;
|
|
show grants for userc@localhost;
|
|
Grants for userc@localhost
|
|
GRANT USAGE ON *.* TO 'userc'@'localhost'
|
|
GRANT EXECUTE ON PROCEDURE `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION
|
|
call sptest.p1(1);
|
|
grant execute on procedure sptest.p1 to userb@localhost;
|
|
ERROR 42000: grant command denied to user 'usera'@'localhost' for routine 'sptest.p1'
|
|
drop procedure sptest.p1;
|
|
ERROR 42000: alter routine command denied to user 'usera'@'localhost' for routine 'sptest.p1'
|
|
call sptest.p1(2);
|
|
ERROR 42000: execute command denied to user 'userb'@'localhost' for routine 'sptest.p1'
|
|
grant execute on procedure sptest.p1 to userb@localhost;
|
|
ERROR 42000: execute command denied to user 'userb'@'localhost' for routine 'sptest.p1'
|
|
drop procedure sptest.p1;
|
|
ERROR 42000: alter routine command denied to user 'userb'@'localhost' for routine 'sptest.p1'
|
|
call sptest.p1(3);
|
|
grant execute on procedure sptest.p1 to userb@localhost;
|
|
drop procedure sptest.p1;
|
|
ERROR 42000: alter routine command denied to user 'userc'@'localhost' for routine 'sptest.p1'
|
|
call sptest.p1(4);
|
|
grant execute on procedure sptest.p1 to userb@localhost;
|
|
ERROR 42000: grant command denied to user 'userb'@'localhost' for routine 'sptest.p1'
|
|
drop procedure sptest.p1;
|
|
ERROR 42000: alter routine command denied to user 'userb'@'localhost' for routine 'sptest.p1'
|
|
select * from t1;
|
|
u i
|
|
usera@localhost 1
|
|
userc@localhost 3
|
|
userb@localhost 4
|
|
grant all privileges on procedure sptest.p1 to userc@localhost;
|
|
show grants for userc@localhost;
|
|
Grants for userc@localhost
|
|
GRANT USAGE ON *.* TO 'userc'@'localhost'
|
|
GRANT EXECUTE, ALTER ROUTINE ON PROCEDURE `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION
|
|
show grants for userb@localhost;
|
|
Grants for userb@localhost
|
|
GRANT USAGE ON *.* TO 'userb'@'localhost'
|
|
GRANT EXECUTE ON PROCEDURE `sptest`.`p1` TO 'userb'@'localhost'
|
|
revoke all privileges on procedure sptest.p1 from userb@localhost;
|
|
show grants for userb@localhost;
|
|
Grants for userb@localhost
|
|
GRANT USAGE ON *.* TO 'userb'@'localhost'
|
|
use test;
|
|
drop database sptest;
|
|
delete from mysql.user where user='usera' or user='userb' or user='userc';
|
|
delete from mysql.procs_priv where user='usera' or user='userb' or user='userc';
|
|
drop function if exists bug_9503;
|
|
create database mysqltest//
|
|
use mysqltest//
|
|
create table t1 (s1 int)//
|
|
grant select on t1 to user1@localhost//
|
|
create function bug_9503 () returns int sql security invoker begin declare v int;
|
|
select min(s1) into v from t1; return v; end//
|
|
use mysqltest;
|
|
select bug_9503();
|
|
ERROR 42000: execute command denied to user 'user1'@'localhost' for routine 'mysqltest.bug_9503'
|
|
grant execute on function bug_9503 to user1@localhost;
|
|
do 1;
|
|
use test;
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user1@localhost;
|
|
drop function bug_9503;
|
|
use test;
|
|
drop database mysqltest;
|
|
use test;
|
|
select current_user();
|
|
current_user()
|
|
root@localhost
|
|
select user();
|
|
user()
|
|
root@localhost
|
|
create procedure bug7291_0 () sql security invoker select current_user(), user();
|
|
create procedure bug7291_1 () sql security definer call bug7291_0();
|
|
create procedure bug7291_2 () sql security invoker call bug7291_0();
|
|
grant execute on procedure bug7291_0 to user1@localhost;
|
|
grant execute on procedure bug7291_1 to user1@localhost;
|
|
grant execute on procedure bug7291_2 to user1@localhost;
|
|
call bug7291_2();
|
|
current_user() user()
|
|
user1@localhost user1@localhost
|
|
call bug7291_1();
|
|
current_user() user()
|
|
root@localhost user1@localhost
|
|
drop procedure bug7291_1;
|
|
drop procedure bug7291_2;
|
|
drop procedure bug7291_0;
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user1@localhost;
|
|
drop user user1@localhost;
|
|
drop database if exists mysqltest_1;
|
|
create database mysqltest_1;
|
|
create procedure mysqltest_1.p1()
|
|
begin
|
|
select 1 from dual;
|
|
end//
|
|
grant usage on *.* to mysqltest_1@localhost;
|
|
call mysqltest_1.p1();
|
|
ERROR 42000: execute command denied to user 'mysqltest_1'@'localhost' for routine 'mysqltest_1.p1'
|
|
call mysqltest_1.p1();
|
|
ERROR 42000: execute command denied to user 'mysqltest_1'@'localhost' for routine 'mysqltest_1.p1'
|
|
drop procedure mysqltest_1.p1;
|
|
drop database mysqltest_1;
|
|
revoke usage on *.* from mysqltest_1@localhost;
|
|
drop user mysqltest_1@localhost;
|
|
drop function if exists bug12812|
|
|
create function bug12812() returns char(2)
|
|
begin
|
|
return 'ok';
|
|
end;
|
|
create user user_bug12812@localhost IDENTIFIED BY 'ABC'|
|
|
SELECT test.bug12812()|
|
|
ERROR 42000: execute command denied to user 'user_bug12812'@'localhost' for routine 'test.bug12812'
|
|
CREATE VIEW v1 AS SELECT test.bug12812()|
|
|
ERROR 42000: execute command denied to user 'user_bug12812'@'localhost' for routine 'test.bug12812'
|
|
DROP USER user_bug12812@localhost|
|
|
drop function bug12812|
|
|
create database db_bug14834;
|
|
create user user1_bug14834@localhost identified by '';
|
|
grant all on `db\_bug14834`.* to user1_bug14834@localhost;
|
|
create user user2_bug14834@localhost identified by '';
|
|
grant all on `db\_bug14834`.* to user2_bug14834@localhost;
|
|
create user user3_bug14834@localhost identified by '';
|
|
grant all on `db__ug14834`.* to user3_bug14834@localhost;
|
|
create procedure p_bug14834() select user(), current_user();
|
|
call p_bug14834();
|
|
user() current_user()
|
|
user1_bug14834@localhost user1_bug14834@localhost
|
|
call p_bug14834();
|
|
user() current_user()
|
|
user2_bug14834@localhost user1_bug14834@localhost
|
|
call p_bug14834();
|
|
user() current_user()
|
|
user3_bug14834@localhost user1_bug14834@localhost
|
|
drop user user1_bug14834@localhost;
|
|
drop user user2_bug14834@localhost;
|
|
drop user user3_bug14834@localhost;
|
|
drop database db_bug14834;
|