Bug #17514 Default is wrong for SQL SECURITY
Submitted: 17 Feb 2006 9:06 Modified: 19 Feb 2006 11:49
Reporter: Kristian Koehntopp Email Updates:
Status: Not a Bug Impact on me:
Category:MySQL Server: Stored Routines Severity:S2 (Serious)
Version:5.0.18 OS:Linux (Linux)
Assigned to: CPU Architecture:Any

[17 Feb 2006 9:06] Kristian Koehntopp
Default for about anything is SQL SECURITY DEFINER. Even if this is in the standard, it is wrong.

Do you want to make everything SUID by default? This has raised tons of security problems with a customer porting code to MySQL, because every single function and procedure must be reviewed.

How to repeat:
create procedure bla()


Check the security setting.

Suggested fix:
Make SQL SECURITY INVOKER the default. Do not use insecure defaults. Always make security transitions explicit!
[19 Feb 2006 11:49] Valeriy Kravchuk
Thank you for a problem report. Sorry, but it is not a bug. It is intended and correct behaviour, that allows to provide real level of security (only this way you can create stored functions as the only means to work with data, not giving direct access to them)! SQL SECURITY DEFINER is also used by default in Oracle for ages...