Bug #25671 CREATE/DROP/ALTER SERVER should require privileges
Submitted: 17 Jan 2007 8:14 Modified: 30 Mar 2007 19:48
Reporter: Giuseppe Maxia Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Federated storage engine Severity:S1 (Critical)
Version:5.1.15 OS:Any (all)
Assigned to: Antony Curtis CPU Architecture:Any
Tags: federated, grants

[17 Jan 2007 8:14] Giuseppe Maxia
Description:
The new syntax for CREATE/DROP/ALTER SERVER is available to any user, regardless of the granted privileges.

For example:

GRANT ALL ON  test.* TO guest1 IDENTIFIED BY 'guest';
GRANT SELECT ON  test.* TO guest2 IDENTIFIED BY 'guest';
GRANT USAGE ON  *.* TO guest3 IDENTIFIED BY 'guest';

mysql -u guest1 -pguest test

mysql> create SERVER 's1' foreign data wrapper 'mysql' options (HOST '127.0.0.1', DATABASE 'test', USER 'guest', PASSWORD 'guest', PORT 3307);
Query OK, 1 row affected (0.00 sec)

mysql -u guest2 -pguest test

mysql> alter SERVER 's1'  options (DATABASE 'toast');
Query OK, 1 row affected (0.00 sec)

mysql> drop server s1;
Query OK, 1 row affected (0.01 sec)

mysql> create SERVER 's2' foreign data wrapper 'mysql' options (HOST '127.0.0.1', DATABASE 'test', USER 'guest', PASSWORD 'guest', PORT 3307);
Query OK, 1 row affected (0.00 sec)

mysql -u guest3 -pguest test

mysql> alter SERVER 's2'  options (DATABASE 'toast');
Query OK, 1 row affected (0.00 sec)

mysql> drop server s2;
Query OK, 1 row affected (0.01 sec)

mysql> create SERVER 's3' foreign data wrapper 'mysql' options (HOST '127.0.0.1', DATABASE 'test', USER 'guest', PASSWORD 'guest', PORT 3307);
Query OK, 1 row affected (0.00 sec)

A user with full privileges on a single database can create a server wide server.
Then a user with read-only privileges can create, alter, and drop servers.
An finally, a user with only usage, i.e. with no privileges at all, can
drop,alter and create servers.

How to repeat:
test case to follow

Suggested fix:
CREATE SERVER should require higher privileges than SELECT.
DROP/ALTER SERVER should be allowed to the owner or to users with SUPER privilege.
[17 Jan 2007 16:24] Patrick Galbraith
Yes, user privs should be though of for this. The owner col should be used for this.
[19 Jan 2007 22:36] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18490

ChangeSet@1.2394, 2007-01-19 14:35:59-08:00, acurtis@xiphis.org +1 -0
  Bug#25671
    "CREATE/DROP/ALTER SERVER should require privileges"
    Instrument check for SUPER privilege
    (we should concider switching to 64bit ACL words to have fine grained ACLs)
[13 Feb 2007 18:37] Giuseppe Maxia
test for bug#25671 after fix

Attachment: federated_bug_25671_fixed.tar.gz (application/x-tar, text), 2.00 KiB.

[13 Feb 2007 18:39] Giuseppe Maxia
QA_TEST_PASS
Please see the attached test case.
After the fix, server creation,drop, and alter are not allowed for users without the SUPER privilege.
[14 Feb 2007 0:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/19818

ChangeSet@1.2432, 2007-02-13 16:21:37-08:00, antony@ppcg5.local +3 -0
  Bug#25671
    "CREATE/ALTER/DROP SERVER should require privileges"
    Add checks for SUPER acl before executing CREATE/ALTER/DROP
    SERVER commands.
    Includes test for bug.
[13 Mar 2007 19:58] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21840

ChangeSet@1.2477, 2007-03-13 11:58:24-07:00, acurtis@xiphis.org +3 -0
  Bug#25671
    "CREATE/DROP/ALTER SERVER should require privileges"
    Add check for SUPER privilege when executing CREATE/DROP/ALTER SERVER.
    Previously, any user even with only USAGE priv can execute those commands.
[15 Mar 2007 8:31] Ingo Strüwing
OK to push from me. The absolute minimum required comments are present.
[16 Mar 2007 1:20] Antony Curtis
Pushed to 5.1-engines repository
[30 Mar 2007 17:28] Bugs System
Pushed into 5.1.18-beta
[30 Mar 2007 19:48] Paul Dubois
Noted in 5.1.18 changelog.

CREATE SERVER, DROP SERVER, and ALTER SERVER did not require any
privileges. Now these statements require the SUPER privilege.

Also updated the CREATE SERVER, DROP SERVER, and ALTER SERVER
sections to note the required privilege.