Bug #33275 | Server crash when creating temporary table mysql.user | ||
---|---|---|---|
Submitted: | 16 Dec 2007 19:24 | Modified: | 20 May 2008 23:18 |
Reporter: | Morgan Tocker | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server | Severity: | S2 (Serious) |
Version: | 5.0.54, ALL | OS: | Any |
Assigned to: | Kristofer Pettersson | CPU Architecture: | Any |
[16 Dec 2007 19:24]
Morgan Tocker
[16 Dec 2007 19:26]
Morgan Tocker
Suggested fix - don't reload privileges from temporary tables (does this break BC?)
[16 Dec 2007 19:32]
Kolbe Kegel
This bug is not specifically related to temporary tables, really. If you create a "real" table called mysql.user with a nonsensical set of columns, FLUSH PRIVILEGES will cause the server to crash and will also prevent the server from starting. If the server encounters a "corrupt" MySQL privilege tables with unexpected or invalid columns upon FLUSH PRIVILEGES, it should shutdown in a controlled fashion and write a reasonable error message to the error log. If MySQL encounters this condition on startup, it should, again, print a reasonable error message to the error log refuse to start.
[25 Mar 2008 11:44]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/44379 ChangeSet@1.2595, 2008-03-25 12:52:55+01:00, thek@adventure.(none) +3 -0 Bug#33275 Server crash when creating temporary table mysql.user When creating a temporary table that uses the same name as the mysql privs table the server would crash on FLUSH PRIVILEGES. This patches corrects the problem by setting a flag to ignore any temporary table when trying to reload the privileges.
[26 Mar 2008 9:41]
Kristofer Pettersson
This bug has two issues: One is that a temporary table should not shadow the schema tables, the second is that if the user has the authority to break the privilege system by replacing the mysql.user table, the server should not crash but shut down in a controlled fashion. The first issue will be fixed, the latter will need more than patching and refactoring and will be addressed in the new data dictionary.
[26 Mar 2008 9:41]
Kristofer Pettersson
new data dictionary worklog is wl#2760
[2 Apr 2008 15:56]
Jon Stephens
This fix was reported as pushed into mysql-5.1.23-ndb-6.3.11 on 28 March. Here's what happens when I try this with a server pulled and built from the telco-6.3 tree a coupel of days later: jon@flundra:~/bin/mysql-5.1-telco-6.3/bin> ls -l ../libexec/mysqld* -rwxr-xr-x 1 jon users 40349964 2008-03-30 15:13 ../libexec/mysqld jon@flundra:~/bin/mysql-5.1-telco-6.3/bin> ./mysql -uroot Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.1.23-ndb-6.3.11-debug Source distribution Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> create temporary table mysql.user (c1 INT); Query OK, 0 rows affected (0.00 sec) mysql> select * from mysql.user; Empty set (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> show create table mysql.user; +-------+----------------------------------------------------------------------------------------------------+ | Table | Create Table | +-------+----------------------------------------------------------------------------------------------------+ | user | CREATE TEMPORARY TABLE `user` ( `c1` int(11) DEFAULT NULL ) ENGINE=MyISAM DEFAULT CHARSET=latin1 | +-------+----------------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec) Looks to me like this issue was not really fixed, since it's still possible to shadow the grant tables, and I'm given to understand from the comments above that this was to be disallowed. Please verify the intended behaviour and that this fix provides it. Thanks.
[3 Apr 2008 7:55]
Kristofer Pettersson
It is indeed possible for a user to shadow the mysql.user table, it should however be connection bound and from the users own perspective. The patches fixes so that the internal, and global, privilege system isn't affected as well. In other words it isn't possible to shadow the mysql.user table from the _privilege_system_.
[3 Apr 2008 13:46]
Jon Stephens
Documented in the 5.1.23-ndb-6.3.11 changelog as follows: Executing a FLUSH PRIVILEGES statement after creating a temporary table in the mysql database with the same name as one of the MySQL system tables caused the server to crash. Note that while it is possible to shadow a system table in this way, the temporary table exists only for the current user and connection, and does not effect any users privileges. Set status back to Patch Approved, pending merges to mainline trees.
[20 Apr 2008 13:01]
Bugs System
Pushed into 6.0.6-alpha
[21 Apr 2008 17:54]
Paul DuBois
Noted in 6.0.6 changelog.
[21 Apr 2008 19:33]
Jon Stephens
Will this fix appear in 5.0 or 5.1 mainline?
[20 May 2008 21:22]
Bugs System
Pushed into 5.1.25-rc
[20 May 2008 23:18]
Paul DuBois
Noted in 5.1.25 changelog.
[28 Jul 2008 16:53]
Bugs System
Pushed into 5.1.25-rc (revid:sp1r-kostja@bodhi.(none)-20080520073817-17550) (version source revid:sp1r-kostja@bodhi.(none)-20080520073817-17550) (pib:3)