Bug #14385 GRANT and mapping to correct user account problems
Submitted: 27 Oct 2005 10:45 Modified: 14 Mar 2006 16:59
Reporter: Tobias Asplund Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0 OS:Microsoft Windows (Windows)
Assigned to: Sergei Glukhov CPU Architecture:Any

[27 Oct 2005 10:45] Tobias Asplund
Description:
GRANT command seems to map PRIVILEGES to the wrong user account in some circumstances.

How to repeat:
mysql> GRANT DELETE ON world.city TO flupps@'%' IDENTIFIED BY 'a';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT ON world.city TO flupps@'192.%' IDENTIFIED BY 'a';
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

C:\>mysql -h 192.168.100.3 -u flupps -pa world
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 22 to server version: 5.0.13-rc-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SHOW GRANTS;
+-----------------------------------------------------------------------------------------------------------+
| Grants for flupps@192.%                                     |
+-----------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'flupps'@'192.%' IDENTIFIED BY PASSWORD '*667F407DE7C6AD07358FA38DAED7828A72014B4E' |
+-----------------------------------------------------------------------------------------------------------+
1 row in set (0.01 sec)

-- It does seem to work however:

mysql> USE world;
Database changed

mysql> SELECT * FROM City LIMIT 1;
+----+----------+---------+----------+------------+
| Id | Name     | Country | District | Population |
+----+----------+---------+----------+------------+
|  2 | Qandahar | AFG     | Qandahar |     237500 |
+----+----------+---------+----------+------------+
1 row in set (0.40 sec)

mysql> GRANT SELECT ON world.city TO flupps@'%';
Query OK, 0 rows affected (0.00 sec)

mysql> sHOW GRANTS FOR 'flupps'@'%';
+-------------------------------------------------------------------------------------------------------+
| Grants for flupps@%                                 |
+-------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'flupps'@'%' IDENTIFIED BY PASSWORD '*667F407DE7C6AD07358FA38DAED7828A72014B4E' |
| GRANT SELECT, DELETE ON `world`.`city` TO 'flupps'@'%'                                 |
+-------------------------------------------------------------------------------------------------------+
2 rows in set (0.01 sec)

mysql> sHOW GRANTS FOR 'flupps'@'192.%';
+-----------------------------------------------------------------------------------------------------------+
| Grants for flupps@192.%                                     |
+-----------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'flupps'@'192.%' IDENTIFIED BY PASSWORD '*667F407DE7C6AD07358FA38DAED7828A72014B4E' |
+-----------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

C:\>mysql -h 192.168.100.3 -u flupps -pa world
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 24 to server version: 5.0.13-rc-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> DELETE FROM City LIMIT 1;
Query OK, 1 row affected (0.00 sec)

mysql> SELECT CURRENT_USER();
+----------------+
| CURRENT_USER() |
+----------------+
| flupps@192.%   |
+----------------+
1 row in set (0.01 sec)

-- OUCH!!!!!
[27 Oct 2005 17:15] Jorge del Conde
I was able to reproduce this using a recent 5.0bk clone under XP
[6 Dec 2005 12:05] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/33063
[31 Jan 2006 11:05] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/1929
[6 Feb 2006 10:17] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/2175
[27 Feb 2006 15:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/3195
[6 Mar 2006 9:59] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/3485
[6 Mar 2006 10:02] Sergei Glukhov
Fixed in 4.1.19
[14 Mar 2006 16:59] Mike Hillyer
Documented in 4.1.19 changelog:

      <listitem>
        <para>
          Security Improvement: GRANTs to users with wildcards in their
          host information could be erroneously applied to similar users
          with the same username and similar wildcards. For example, a
          privilege granted to <literal>foo@%</literal> are also applied
          to user <literal>foo@192.%</literal>. (Bug #14385)
        </para>
      </listitem>