Bug #37023 | Editing SP with no mysql\SELECT rights fails to throw error | ||
---|---|---|---|
Submitted: | 27 May 2008 23:45 | Modified: | 14 Feb 2009 16:50 |
Reporter: | Jared S (Silver Quality Contributor) | Email Updates: | |
Status: | No Feedback | Impact on me: | |
Category: | MySQL Query Browser | Severity: | S3 (Non-critical) |
Version: | 1.2.12 | OS: | Windows (Vista) |
Assigned to: | CPU Architecture: | Any | |
Tags: | no contents, qc, SP |
[27 May 2008 23:45]
Jared S
[3 Aug 2008 17:57]
Sveta Smirnova
Thank you for the report. I can not repeat described behavior. Please provide step-by-step instruction.
[3 Aug 2008 23:40]
Jared S
1. Setup following environment below ..Vista\MySQL 5.1.26 >> Vista\GUI-TOOLS-Latest 2. Enter new basic SP on server machine 3. Edit new SP reomtley with latest server components DELIMITER $$ DROP PROCEDURE IF EXISTS `test`.`MyProc` $$ CREATE PROCEDURE `test`.`MyProc` () BEGIN select 1; END $$ DELIMITER ;
[3 Aug 2008 23:41]
Jared S
Picture of the bug
Attachment: bug37023.jpg (image/pjpeg, text), 24.46 KiB.
[3 Sep 2008 18:12]
Jennifer Kimball
I am also seeing this bug. My database lives on a Solaris 10 box. The MySQL version is 5.0.51a-log. Query Browser lives on a Windows XP box. QB version=1.2.12. The issue occurs with both functions and procedures. When opening a function or procedure to edit from QB, an empty skeleton is displayed as would be expected if one clicked "create function/procedure". However, the function/procedure will run successfully. Interestingly, functions and procedures created in QB or Administrator open properly in edit mode. I thought this might have to do with the user@localhost vs the user@remotehost grants, but both have GRANT ALL PRIVILEGES ON mydb TO user@whateverhost
[16 Sep 2008 15:18]
Susanne Ebrecht
Many thanks for the description. I also think it is related to remote servers. I have to test with database on another machine.
[15 Dec 2008 23:02]
Jared S
http://dev.mysql.com/doc/refman/5.0/en/show-create-procedure.html "The statements require that you be the owner of the routine or have SELECT access to the mysql.proc table." http://dev.mysql.com/doc/refman/5.1/en/create-procedure.html "The default value is DEFINER. This feature is new in SQL:2003. The creator or invoker must have permission to access the database with which the routine is associated." mysql> SELECT routine_schema, routine_name, routine_type,security_type, definer FROM information_schema.ROUTINES; +----------------+--------------+--------------+---------------+---------------- + | routine_schema | routine_name | routine_type | security_type | definer | +----------------+--------------+--------------+---------------+---------------- + | live | MyProc2 | PROCEDURE | DEFINER | live@% | | live | MYProc3 | PROCEDURE | DEFINER | live@% | | live | Proc1 | PROCEDURE | DEFINER | root@localhost | | live | proc4 | PROCEDURE | DEFINER | root@localhost | +----------------+--------------+--------------+---------------+---------------- + 4 rows in set (0.00 sec) mysql> SELECT db, name, type, security_type, definer FROM mysql.proc; +------+---------+-----------+---------------+----------------+ | db | name | type | security_type | definer | +------+---------+-----------+---------------+----------------+ | live | Proc1 | PROCEDURE | DEFINER | root@localhost | | live | MyProc2 | PROCEDURE | DEFINER | live@% | | live | MYProc3 | PROCEDURE | DEFINER | live@% | | live | proc4 | PROCEDURE | DEFINER | root@localhost | +------+---------+-----------+---------------+----------------+ 4 rows in set (0.00 sec) Workaround : Edit proc using local machine and change DEFINER=`live`@`%` ISSUE 1. Editing SP with no mysql\SELECT rights fails to throw error ISSUE 2. MySQL allows 'root@%' to edit proc defined as 'root@localhost' Could you consider the 1st as'Verified' and consider the latter security hole.
[14 Jan 2009 16:50]
Susanne Ebrecht
Many thanks for writing a bug report. Please try newer version and let us know if you still have this problem. The newest version is MySQL Query Browser 1.2.15
[15 Feb 2009 0:00]
Bugs System
No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open".
[16 Feb 2009 12:54]
Jennifer Kimball
Changing to the newest version was not sufficient. Adding the GRANT: GRANT SELECT ON `mysql`.`proc` TO 'thisuser'@'that.computer' fixed the problem. But it did not make my sysadmin happy.