Bug #116954 Users without any privileges can access information_schema.INNODB_DATAFILES to retrieve table names of other users
Submitted: 11 Dec 2024 16:52 Modified: 11 Dec 2024 19:13
Reporter: Jingzhou Fu Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Information schema Severity:S3 (Non-critical)
Version:9.1.0 OS:Linux (Ubuntu 22.04, docker image mysql:9.1.0)
Assigned to: CPU Architecture:x86 (x64)

[11 Dec 2024 16:52] Jingzhou Fu 
Description:
Users without any privileges can also access information_schema.INNODB_DATAFILES, which can be used to retrieve table names of other users.

The documentation said, "You must have the PROCESS privilege to query this table. ". However, it seems like non-privileged users can also access this table and retrieve some information.

How to repeat:
The Proof of Concept (PoC) on docker image mysql:9.1.0 :

```
bash$ docker run -e MYSQL_ALLOW_EMPTY_PASSWORD=1 -p 3306:3306 -itd --name some-mysql mysql:9.1.0
bash$ docker exec -it some-mysql mysql -uroot

-- Execute the following SQL commands with the root user
mysql> USE mysql;
  CREATE TABLE tbl1 (col1234567890 INT); -- Create some normal tables
  CREATE INDEX idx1 ON tbl1 (col1234567890);

  CREATE USER foo; -- Create a empty user
  QUIT;

-- Login with the user `foo`
bash$ docker exec -it some-mysql mysql -ufoo

-- Unexpected result: the non-privileged user can see the table name
mysql> SELECT * FROM information_schema.INNODB_DATAFILES;
+------------------------+----------------------+
| SPACE                  | PATH                 |
+------------------------+----------------------+
...
| 0x32                   | ./mysql/tbl1.ibd     |
+------------------------+----------------------+

Suggested fix:
Fix the permission check of information_schema.INNODB_DATAFILES.
[11 Dec 2024 16:57] MySQL Verification Team 
Hi Mr. Fu,

Thank you for your bug report.

However, in order to repeat what you observed, we need to know the exact set of privileges for the user foo.

Without that info, we can not repeat what you are reporting.

Also, have you discovered whether the same fault occurs with 8.0 and 8.4 ???

Can you also  let us know the exact chapter which explains what privileges are required for the access to that table ???
[11 Dec 2024 17:16] MySQL Verification Team 
Hi Mr. Fu,

It seems that you are correct in your bug report.

Can you just provide us with a link to the page in our Reference Manual which claims that:

"You must have the PROCESS privilege to query this table. "

As soon as you provide us with that info, we shall verify this bug report.
[11 Dec 2024 17:21] Jingzhou Fu 
Sure. This website provides such information:

https://dev.mysql.com/doc/refman/8.4/en/information-schema-innodb-datafiles-table.html

You can search for the word "PROCESS" on the page to find it.
[11 Dec 2024 17:24] Jingzhou Fu 
Additionally, the table information_schema.INNODB_TABLESPACES_BRIEF has a similar issue.

The chapter about INNODB_TABLESPACES_BRIEF:
https://dev.mysql.com/doc/refman/9.1/en/information-schema-innodb-tablespaces-brief-table....
[11 Dec 2024 17:31] Jingzhou Fu 
The table information_schema.TABLESPACES_EXTENSIONS can also be used by a non-privileged user to retrieve table names.

However, the documentation does not mention what privileges are needed to access it. 

https://dev.mysql.com/doc/refman/9.1/en/information-schema-tablespaces-extensions-table.ht...

I am not sure whether such behavior is expected, since the current behavior of TABLESPACES_EXTENSIONS can be used to leak table names to other users.
[11 Dec 2024 19:13] MySQL Verification Team 
This bug report is a duplicate of :

https://bugs.mysql.com/bug.php?id=116953