Bug #15298 SHOW GRANTS FOR CURRENT_USER: Incorrect output in DEFINER context
Submitted: 28 Nov 2005 20:37 Modified: 7 Jul 2006 19:22
Reporter: Paul DuBois Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0.16/5.0.17 BK OS:Linux (Linux)
Assigned to: Sergei Glukhov CPU Architecture:Any

[28 Nov 2005 20:37] Paul DuBois 
Description:
In DEFINER execution context, CURRENT_USER() returns the definer
rather than the account for the currently authenticated client.
(For example, use of CURRENT_USER() in a trigger or SQL SECURITY DEFINER
view or stored routine returns the trigger, view, or routine definer.)

However, there is a CURRENT_USER() option for SHOW GRANTS (SHOW
GRANTS FOR CURRENT_USER().  But it does _not_ change value when
executed in DEFINER execution context.

How to repeat:
As me, I execute these statements:

drop procedure if exists p;
create procedure p () sql security definer show grants for current_user;

Then as me, I execute this statement:

mysql> call p()\G
*************************** 1. row ***************************
Grants for paul@localhost: GRANT ALL PRIVILEGES ON *.* TO 'paul'@'localhost'
IDENTIFIED BY PASSWORD '*16BBF8FDE9FB9CBDD2141FA3F6239C267C4FA466' WITH GRANT
OPTION
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.04 sec)

Then as another user, I execute the same statement:

mysql> call p()\G           
*************************** 1. row ***************************
Grants for cbuser@localhost: GRANT USAGE ON *.* TO 'cbuser'@'localhost'
IDENTIFIED BY PASSWORD '*126CFB940B0843713B19A6C21B99C0F1F9F3AFB6'
*************************** 2. row ***************************
Grants for cbuser@localhost: GRANT ALL PRIVILEGES ON `cookbook`.* TO
'cbuser'@'localhost'
2 rows in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

The call should have shown me the privileges for paul, not cbuser.

Possibly this problem affects other statements as well.  CURRENT_USER
is one of the allowable expansions of the "user" production in
sql_yacc.yy, and that production seems to be allowable in the grammar
for a number of statements:
 
SET PASSWORD FOR user
RENAME USER user TO user
DROP USER user
...
[20 Jun 2006 10:59] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/7912
[27 Jun 2006 8:44] Alexander Barkov 
The patch generally looks ok to push.

I'd suggest to put somewhere in the code a comment
that an empty LEX_USER now means CURRENT_USER.
Maybe even in two places: sql_yacc.yy and before
implementation of get_cuttent_user() in sql_parse.cc.

Please push after adding a comment.

Also, please write more comments on individual files
in the future.
[29 Jun 2006 10:47] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/8473
[3 Jul 2006 11:32] Sergei Glukhov 
Fixed in 5.0.24
[7 Jul 2006 19:22] Paul DuBois 
Noted in 5.0.24, 5.1.12 changelogs.

SHOW GRANTS FOR CURRENT_USER did not return definer grants when executed in DEFINER context (such as within a stored prodedure defined with SQL SECURITY DEFINER), it returned the invoker grants.
[13 Jul 2006 3:34] Paul DuBois 
5.0.x fix went to 5.0.25 instead.