Bug #10964 Information Schema:Authorization check on privilege tables is improper
Submitted: 30 May 2005 14:46 Modified: 24 Jun 2005 3:07
Reporter: Disha Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.5-Beta OS:Windows (Windows Server 2003)
Assigned to: Sergei Glukhov CPU Architecture:Any

[30 May 2005 14:46] Disha
Description:
The authorization checks on information_schema privilege tables is improper i.e. any user with limited privileges can query the information_schema tables to get the details about privileges granted to different users on different database objects even when he does not have any permission on those objects. The tables are:
1. USER_PRIVILEGES Table 
2. SCHEMA_PRIVILEGES Table 
3. TABLE_PRIVILEGES Table 
4. COLUMN_PRIVILEGES Table 

How to repeat:
1. create user user1//
2. create user user2//
3. create database db1//
4. use db1//
5. create table t1 (f1 int, f2 int)//
6. create database db2//
7. use db2//
8. create table t2 (f1 int)//
9. grant select on db1.t1(f1) to user1//
10. grant select on db2.t2 to user2//
11. Connect to mysql server as user1.
12. select * from information_schema.column_privileges//
13. select * from information_schema.table_privileges//

Expected Result: The result set returned in Step 12 should have the details for user1 listed and that returned in Step 13 should be empty.

Actual Result: The result set returned in Step 12 returns the details for user1 and that returned in Step 13 lists the details for user2.
[30 May 2005 23:46] Jorge del Conde
Thanks for your bug report.

I tested this in 5.0.7 from bk.

There where the results that I got when executing steps 12 & 13:

mysql> delimiter //
mysql> select * from information_schema.column_privileges//
Empty set (0.00 sec)

mysql> select * from information_schema.table_privileges//
+-------------+---------------+--------------+------------+----------------+--------------+
| GRANTEE     | TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | PRIVILEGE_TYPE | IS_GRANTABLE |
+-------------+---------------+--------------+------------+----------------+--------------+
| 'user1'@'%' | NULL          | db1          | t1         | SELECT         | NO           |
| 'user2'@'%' | NULL          | db2          | t2         | SELECT         | NO           |
+-------------+---------------+--------------+------------+----------------+--------------+
2 rows in set (0.00 sec)

mysql>
[1 Jun 2005 12:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/25446
[2 Jun 2005 10:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/25506
[7 Jun 2005 7:16] Sergei Glukhov
Fixed in 5.0.7
[24 Jun 2005 3:07] Jon Stephens
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Documented fix in 5.0.7 changelog; bug closed.