Bug #25578 CREATE TABLE LIKE does not require any privileges on source table.
Submitted: 12 Jan 2007 11:22 Modified: 7 Jun 2007 16:31
Reporter: Dmitry Lenev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.1.23-bk, 5.0.34-bk, 5.1.15-bk OS:Linux (SUSE 10.0/Any)
Assigned to: Dmitry Lenev CPU Architecture:Any

[12 Jan 2007 11:22] Dmitry Lenev
Description:
CREATE TABLE LIKE does not require any privileges on source table.

Altough documentation does not say explicitly that it should require any privileges on source table this IMO still should be considered as a bug,
as such behavior allows to circumvent privilege checks in SHOW CREATE TABLE/I_S tables.

How to repeat:
# Here is the script for MySQL's test suite which demonstrates problem
create database mysqltest;
use mysqltest;
create table t1 (i int);
# Connect as anonymous user (which has rights on 'test' database)
connect (user1,localhost,,,);
connection user1;
use test;
# As expected error is emitted
--error 1044
show create table mysqltest.t1;
create table t1 like mysqltest.t1;
# Oops... we have circumvented privilege check...
show create table t1;
[31 Jan 2007 21:06] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/19127

ChangeSet@1.2379, 2007-02-01 00:05:29+03:00, dlenev@mockturtle.local +14 -0
  Tentative fix for bugs #18950 "create table like does not obtain
  LOCK_open", #23667 "CREATE TABLE LIKE is not isolated from alteration
  by other connections" and bug #25578 "CREATE TABLE LIKE does not
  require any privileges on source table".
  
  Concurrent execution of CREATE TABLE LIKE statement and DDL statements
  on source table or DML/DDL statements on its target table could result
  in various errors in these statements and wrong order of statements in
  binlog.  
  
  This problems was caused by incomplete protection/table-locking against
  concurrent statements implemented in mysql_create_like_table() routine.
  
  This fix simply implements such protection in proper way:
  
  We keep source table open during whole operation and place copying
  of .frm file, call to ha_create_table() and writing to binlog into
  one critical section protected by LOCK_open mutex. While former
  gives us protection against concurrent DDL on source table; the latter
  protects from DDL and DML on target table.
  
  It also removes some duplicated code from mysql_create_like_table().
  
  Questions for reviewers are marked by QQ.
[1 Jun 2007 19:20] Bugs System
Pushed into 5.0.44
[1 Jun 2007 19:25] Bugs System
Pushed into 5.1.20-beta
[7 Jun 2007 16:31] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented security fix in 5.0.44 and 5.1.20 changelogs.
[20 Jul 2007 16:12] Paul DuBois
CVE number has been assigned:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3781