Bug #41311 set timestamp allows unprivileged users to change per-session clock
Submitted: 8 Dec 2008 21:39 Modified: 9 Dec 2008 4:20
Reporter: Mark Callaghan Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.0.67, 5.0.72, 5.1.30 OS:Any
Assigned to: CPU Architecture:Any
Tags: SET, timestamp
Triage: Triaged: D5 (Feature request)

[8 Dec 2008 21:39] Mark Callaghan
Unprivileged users (no SUPER priv) can run 'set timestamp = ...' to change their per-session clock. This determines the result for now(), sysdate() if sysdate_is_now is used and the value of 'set timestamp ...' written to the binlog.

I don't think a user without the SUPER privilege should be allowed to do this. And it makes it difficult to have faith in the value of the per-session clock. The current behavior makes it easy for some users to cheat and change their per-session clock when that helps them.

select now();
create table it(i int, ts timestamp);
insert into it values (1, now());
set timestamp = 1228771000;
insert into it values (2, now());

mysql> select * from it;
| i    | ts                  |
|    1 | 2008-12-08 13:27:46 |
|    2 | 2008-12-08 13:16:40 |

Also, you can make a query appear to have been running for a long time by:
set timestamp = <time from many minutes ago>;
<run query>

And then look at SHOW PROCESSLIST output

How to repeat:

Suggested fix:
Require SUPER for set timestamp
[9 Dec 2008 4:20] Valeriy Kravchuk
Thank you for a problem report.