Bug #9467 | Stored procedures: possible security breach via alter procedure | ||
---|---|---|---|
Submitted: | 29 Mar 2005 22:52 | Modified: | 27 Oct 2006 2:52 |
Reporter: | Peter Gulutzan | Email Updates: | |
Status: | Won't fix | Impact on me: | |
Category: | MySQL Server: Stored Routines | Severity: | S3 (Non-critical) |
Version: | 5.0.4-beta-debug | OS: | Linux (SUSE 9.2) |
Assigned to: | Antony Curtis | CPU Architecture: | Any |
[29 Mar 2005 22:52]
Peter Gulutzan
[22 Apr 2005 13:20]
Per-Erik Martin
Is this really a bug? Having the ALTER ROUTINE privilege seems to imply that you should be allowe to do this. If it is a bug, I don't understand the suggested fix. Disallow ALTER ROUTINE how? ALTER PROCEDURE, or the privilege, or ALTER ... SQL SECURITY?
[19 May 2005 21:26]
Antony Curtis
Would it be a satisfactory solution to set the definer of a stored procedure to the user who last altered it?
[2 Jun 2005 1:39]
Peter Gulutzan
Changing the definer would ingeniously solve what I see as a security problem, but the definer is supposed to be the person who (originally) defined, so it's not fair play. If nobody else jumps in to say that they too see this as a possible security breach, I'll accept that I am seeing a problem where it doesn't really exist, and the assignee should declare this as "not a bug".
[25 Oct 2006 10:58]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/14339 ChangeSet@1.2291, 2006-10-25 03:49:08-07:00, acurtis@xiphis.org +1 -0 Bug#9467 "Stored procedures: possible security breach via alter procedure" only the routine definer can set SQL SECURITY DEFINER