Bug #104423 | SHOW CREATE DATABASE fails with a role that has global level privilege | ||
---|---|---|---|
Submitted: | 27 Jul 2021 9:12 | Modified: | 24 Nov 2021 19:23 |
Reporter: | Yusuke Suzuki | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 8.0.26 | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[27 Jul 2021 9:12]
Yusuke Suzuki
[27 Jul 2021 9:37]
Tsubasa Tanaka
mtr script (*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.
Contribution: bug104423.test (application/octet-stream, text), 867 bytes.
[27 Jul 2021 9:43]
Tsubasa Tanaka
I think adding 3rd argument "true" into sctx->check_access. https://github.com/mysql/mysql-server/blob/mysql-8.0.26/sql/sql_show.cc#L1262 Because of 3rd argument of Security_context::check_access is "match_any", SHOW CREATE DATABASE needs any kind of database privilege. https://github.com/mysql/mysql-server/blob/mysql-8.0.26/sql/auth/sql_security_ctx.cc#L317-... But now, sctx->check_access(DB_OP_ACLS, orig_dbname) requires *ALL OF* DB_OP_ACLS instead of *AT LEAST ONE OF* DB_OP_ACLS.
[27 Jul 2021 9:43]
Tsubasa Tanaka
patch for MySQL 8.0.26 (*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.
Contribution: bug104423.patch (application/octet-stream, text), 436 bytes.
[27 Jul 2021 9:44]
Tsubasa Tanaka
Test result. Before $ ./mtr --nocheck-testcases bug104423.test Logging: ./mtr --nocheck-testcases bug104423.test MySQL Version 8.0.26 Checking supported features Using 'all' suites Collecting tests Checking leftover processes Removing old var directory Creating var directory '/home/yoku0825/mysql-8.0.26/mysql-test/var' Installing system database Using parallel: 1 ============================================================================== TEST NAME RESULT TIME (ms) COMMENT ------------------------------------------------------------------------------ DROP USER IF EXISTS user_native_grant; DROP USER IF EXISTS user_role_grant; DROP ROLE IF EXISTS test_role; DROP DATABASE IF EXISTS d1; CREATE DATABASE d1; CREATE ROLE test_role; GRANT SELECT ON *.* TO test_role; CREATE USER user_role_grant DEFAULT ROLE test_role; CREATE USER user_native_grant; GRANT SELECT ON *.* TO user_native_grant; user_native_grant SHOW GRANTS; Grants for user_native_grant@% GRANT SELECT ON *.* TO `user_native_grant`@`%` SHOW CREATE DATABASE d1; Database Create Database d1 CREATE DATABASE `d1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ user_role_grant SHOW GRANTS; Grants for user_role_grant@% GRANT SELECT ON *.* TO `user_role_grant`@`%` GRANT `test_role`@`%` TO `user_role_grant`@`%` SHOW CREATE DATABASE d1; [ 50%] main.bug104423 [ fail ] Test ended at 2021-07-23 14:28:18 CURRENT_TEST: main.bug104423 mysqltest: At line 26: Query 'SHOW CREATE DATABASE d1' failed. ERROR 1044 (42000): Access denied for user 'user_role_grant'@'localhost' to database 'd1' safe_process[31188]: Child process: 31194, exit: 1 - the logfile can be found in '/home/yoku0825/mysql-8.0.26/mysql-test/var/log/main.bug104423/bug104423.log' [100%] shutdown_report [ pass ] ------------------------------------------------------------------------------ The servers were restarted 0 times The servers were reinitialized 0 times Spent 0.000 of 9 seconds executing testcases Completed: Failed 1/2 tests, 50.00% were successful. Failing test(s): main.bug104423 The log files in var/log may give you some hint of what went wrong. If you want to report this error, please read first the documentation at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html mysql-test-run: *** ERROR: there were failing test cases After $ ./mtr --nocheck-testcases bug104423.test Logging: ./mtr --nocheck-testcases bug104423.test MySQL Version 8.0.26 Checking supported features Using 'all' suites Collecting tests Checking leftover processes Removing old var directory Creating var directory '/home/yoku0825/mysql-8.0.26/mysql-test/var' Installing system database Using parallel: 1 ============================================================================== TEST NAME RESULT TIME (ms) COMMENT ------------------------------------------------------------------------------ DROP USER IF EXISTS user_native_grant; DROP USER IF EXISTS user_role_grant; DROP ROLE IF EXISTS test_role; DROP DATABASE IF EXISTS d1; CREATE DATABASE d1; CREATE ROLE test_role; GRANT SELECT ON *.* TO test_role; CREATE USER user_role_grant DEFAULT ROLE test_role; CREATE USER user_native_grant; GRANT SELECT ON *.* TO user_native_grant; user_native_grant SHOW GRANTS; Grants for user_native_grant@% GRANT SELECT ON *.* TO `user_native_grant`@`%` SHOW CREATE DATABASE d1; Database Create Database d1 CREATE DATABASE `d1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ user_role_grant SHOW GRANTS; Grants for user_role_grant@% GRANT SELECT ON *.* TO `user_role_grant`@`%` GRANT `test_role`@`%` TO `user_role_grant`@`%` SHOW CREATE DATABASE d1; Database Create Database d1 CREATE DATABASE `d1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ DROP USER user_native_grant; DROP USER user_role_grant; DROP ROLE test_role; DROP DATABASE d1; [ 50%] main.bug104423 [ pass ] 49 [100%] shutdown_report [ pass ] ------------------------------------------------------------------------------ The servers were restarted 0 times The servers were reinitialized 0 times Spent 0.049 of 10 seconds executing testcases Completed: All 2 tests were successful.
[27 Jul 2021 10:16]
MySQL Verification Team
Hello Yusuke Suzuki, Thank you for the report and Tanaka-San for the mtr test case. regards, Umesh
[27 Jul 2021 10:17]
MySQL Verification Team
- 8.0.26 ./mtr bug104423 Logging: ./mtr bug104423 MySQL Version 8.0.26 Checking supported features Using 'all' suites Collecting tests Checking leftover processes Removing old var directory Creating var directory '/export/home/tmp/ushastry/mysql-8.0.26/mysql-test/var' Installing system database Using parallel: 1 ============================================================================== TEST NAME RESULT TIME (ms) COMMENT ------------------------------------------------------------------------------ [ 50%] main.bug104423 [ fail ] Test ended at 2021-07-27 12:13:05 CURRENT_TEST: main.bug104423 mysqltest: At line 24: Query 'SHOW CREATE DATABASE d1' failed. ERROR 1044 (42000): Access denied for user 'user_role_grant'@'localhost' to database 'd1' safe_process[1200]: Child process: 1201, exit: 1 Mysqltest client output from logfile ----------- MYSQLTEST OUTPUT START ----------- DROP USER IF EXISTS user_native_grant; DROP USER IF EXISTS user_role_grant; DROP ROLE IF EXISTS test_role; DROP DATABASE IF EXISTS d1; CREATE DATABASE d1; CREATE ROLE test_role; GRANT SELECT ON *.* TO test_role; CREATE USER user_role_grant DEFAULT ROLE test_role; CREATE USER user_native_grant; GRANT SELECT ON *.* TO user_native_grant; user_native_grant SHOW CREATE DATABASE d1; Database Create Database d1 CREATE DATABASE `d1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ user_role_grant SHOW CREATE DATABASE d1; ------------ MYSQLTEST OUTPUT END ----------- - the logfile can be found in '/export/home/tmp/ushastry/mysql-8.0.26/mysql-test/var/log/main.bug104423/bug104423.log' [100%] shutdown_report [ pass ] ------------------------------------------------------------------------------ The servers were restarted 0 times The servers were reinitialized 0 times Spent 0.000 of 8 seconds executing testcases Completed: Failed 1/2 tests, 50.00% were successful. Failing test(s): main.bug104423 The log files in var/log may give you some hint of what went wrong. If you want to report this error, please read first the documentation at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html mysql-test-run: *** ERROR: there were failing test cases
[24 Nov 2021 19:23]
Daniel Price
Posted by developer: Fixed as of the upcoming 8.0.28 release: A user account that was granted a MySQL role with a global SELECT privilege was denied access to the mysql database. The user account's global privileges were not checked when the role was granted.