MySQL Bugs: #30132: CREATE ROUTINE privilege not needed to create/alter stored procedures

Bug #30132	CREATE ROUTINE privilege not needed to create/alter stored procedures
Submitted:	31 Jul 2007 0:29	Modified:	7 Aug 2007 11:56
Reporter:	Todd Farmer (OCA)	Email Updates:
Status:	Not a Bug	Impact on me:	None
Category:	MySQL Server: Stored Routines	Severity:	S2 (Serious)
Version:		OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
If a user has been granted INSERT, DELETE or UPDATE access to the mysql database (or to mysql.proc specifically), that use can create a new stored procedure, drop or alter an existing procedure (respectively) without the corresponding CREATE ROUTINE privileges.  It is also possible to alter the SQL SECURITY and the DEFINER to give elevated privileges to the stored procedure.

How to repeat:
mysql> call sp_test.test_kill();
+------------+
| CURDATE()  |
+------------+
| 2007-07-30 |
+------------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

mysql> select db, name, body from mysql.proc;
+---------+-----------+--------------+
| db      | name      | body         |
+---------+-----------+--------------+
| sp_test | test_kill | SELECT NOW() |
+---------+-----------+--------------+
1 row in set (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> call sp_test.test_kill();
+------------+
| CURDATE()  |
+------------+
| 2007-07-30 |
+------------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

mysql> flush tables mysql.proc;
Query OK, 0 rows affected (0.00 sec)

mysql> call sp_test.test_kill();
+------------+
| CURDATE()  |
+------------+
| 2007-07-30 |
+------------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.06 sec)

mysql> exit;
Bye

C:\Documents and Settings\Todd\MySQL Source\mysql-5.0.41>net stop mysql
The MySQL service is stopping..
The MySQL service was stopped successfully.

C:\Documents and Settings\Todd\MySQL Source\mysql-5.0.41>net start mysql
The MySQL service is starting.
The MySQL service was started successfully.

C:\Documents and Settings\Todd\MySQL Source\mysql-5.0.41>mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.41-community-nt-log MySQL Community Edition (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> call sp_test.test_kill();
+---------------------+
| NOW()               |
+---------------------+
| 2007-07-30 17:01:54 |
+---------------------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

mysql> select db, name, body from mysql.proc;
+---------+-----------+--------------+
| db      | name      | body         |
+---------+-----------+--------------+
| sp_test | test_kill | SELECT NOW() |
+---------+-----------+--------------+
1 row in set (0.00 sec)

mysql>

Suggested fix:
Don't allow direct editing on mysql.proc.

This is intentional. Write access to mysql.* tables in sufficient to create users, grant privileges, or create new procedures.