Bug #33241 | Wrong privileges used if there are different for same user name IP and host | ||
---|---|---|---|
Submitted: | 14 Dec 2007 12:48 | Modified: | 10 Dec 2008 8:44 |
Reporter: | Sveta Smirnova | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 5.0.45, 5.1 BK | OS: | Any (Linux (x86_64)) |
Assigned to: | CPU Architecture: | Any |
[14 Dec 2007 12:48]
Sveta Smirnova
[14 Dec 2007 12:51]
Sveta Smirnova
Workaround: update grant tables to only use IP
[18 Aug 2008 18:00]
Sveta Smirnova
data directory
Attachment: data_bug33241.tar.gz (application/x-gzip, text), 119.79 KiB.
[3 Dec 2008 18:13]
Ramil Kalimullin
Sveta, you have two records with Db='qa001' and User='ec' in the mysql.db. One with IP address that does prohibit SELECTs and another with host name that allows. "... The server sorts the db table based on the Host, Db, and User scope columns, and sorts the host table based on the Host and Db scope columns. As with the user table, sorting puts the most-specific values first and least-specific values last, and when the server looks for matching entries, it uses the first match that it finds." ( http://dev.mysql.com/doc/refman/5.0/en/request-access.html ) So the first one is the mysql.db record with IP that forbids such SELECTs.
[8 Dec 2008 7:16]
Sveta Smirnova
In my opinion problem is what user have not clear information which rights she uses: rights of user@host_name or user@IP. So bug can be in: 1. How MySQL check grants when perform particular query. 2. Work of CURRENT_USER (if it chooses wrong user) 3. Work of SHOW GRANTS (it does not show grants in the same manner how MySQL uses it when perform query). 4. Documentation which does not clearly say "if you have both IP and host_name privileges defined behavior is undefined." 5. mysql_upgrade does not upgrade privileges tables in a way they would work smoothly In my opinion more likely problem is 1. or 3. or 5. What to fix does not matter for me, because either would solve the problem. Not 4, because 1) problem exists only if use data directory created by previous version of MySQL, 2) with correct privilege tables there is no such inconsistency and 3) it is dangerous to not have clear behavior which privileges to choose. Not 2, because it is possible to have different rights for different objects based on user@host_name and user@IP identification, although current_user() should return only value. And sorry, but not better test case, because problem is only repeatable with particular privilege tables.