Bug #27515 DROP previlege is not required anymore for RENAME TABLE
Submitted: 29 Mar 2007 10:15 Modified: 27 Apr 2007 4:25
Reporter: Victoria Reznichenko Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:4.1, 5.0, 5.1 OS:Any (any)
Assigned to: Ramil Kalimullin CPU Architecture:Any
Tags: bfsm_2007_04_05, regression

[29 Mar 2007 10:15] Victoria Reznichenko 
Description:
From MySQL Manual:

You must also have the ALTER and DROP privileges on the original table, and the CREATE and INSERT privileges on the new table.

http://dev.mysql.com/doc/refman/5.0/en/rename-table.html

This is true only for 4.1 version, in 5.0 and 5.1 it is possible to rename table without DROP privilege.

In 4.1 I got an error:

mysql> rename table tabc to tabc_bk,tabd to tabc,tabc_bk to tabd;
ERROR 1044 (42000): Access denied for user 'usb'@'localhost' to database 'priv_test'

How to repeat:
1. Create a test database and user with SELECT, INSERT, ALTER and CREATE privileges on this database:

mysql> create database priv_test;
Query OK, 1 row affected (0.00 sec)

mysql> grant select, insert, alter, create on `priv\_test`.* to usb@'localhost' identified by 'mysql';
Query OK, 0 rows affected (0.02 sec)

2. Connect as newly created user:

$ ./bin/mysql  -uusb -pmysql priv_test
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.17-beta-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| usb@localhost  |
+----------------+
1 row in set (0.00 sec)

mysql> create table tabc (col1 int);
Query OK, 0 rows affected (0.02 sec)

mysql> create table tabd (col2 int);
Query OK, 0 rows affected (0.05 sec)

mysql> rename table tabc to tabc_bk,tabd to tabc,tabc_bk to tabd;
Query OK, 0 rows affected (0.00 sec)

As you can see user without DROP privilege was able to rename table.
[17 Apr 2007 11:52] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/24642

ChangeSet@1.2644, 2007-04-17 16:52:50+05:00, ramil@mysql.com +3 -0
  Fix for bug #27515: DROP previlege is not required anymore for RENAME TABLE
  
  Added missed DROP privilege check on the original table for RENAME TABLE command.
[26 Apr 2007 11:32] Bugs System 
Pushed into 4.1.23
[26 Apr 2007 11:37] Bugs System 
Pushed into 5.0.42
[26 Apr 2007 11:38] Bugs System 
Pushed into 5.1.18-beta
[27 Apr 2007 4:25] Paul DuBois 
Noted in 4.1.23, 5.0.42, 5.1.18 changelogs.

Security fix: The requirement of the DROP privilege for RENAME TABLE
was not being enforced.
[9 May 2007 3:20] Guangbao Ni 
merge into mysql-4.1-ndb tree