Bug #47961 | metadata leak from information_schema.routines via privs on mysql.proc table | ||
---|---|---|---|
Submitted: | 9 Oct 2009 21:51 | Modified: | 9 Oct 2009 23:28 |
Reporter: | Jeff Stoner | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Server: Information schema | Severity: | S3 (Non-critical) |
Version: | 5.1.39-community,5.5+ | OS: | Linux (only tested on CentOS 5.3) |
Assigned to: | CPU Architecture: | Any | |
Tags: | information_schema, privileges, routines |
[9 Oct 2009 21:51]
Jeff Stoner
[9 Oct 2009 23:28]
MySQL Verification Team
Thank you for the bug report. Verified as described. mysql> select body from mysql.proc; ERROR 1143 (42000): SELECT command denied to user 'bar2'@'localhost' for column 'body' in table 'proc' mysql> select db from mysql.proc; ERROR 1143 (42000): SELECT command denied to user 'bar2'@'localhost' for column 'db' in table 'proc' mysql> select * from information_schema.routines\G *************************** 1. row *************************** SPECIFIC_NAME: bugsp ROUTINE_CATALOG: NULL ROUTINE_SCHEMA: foobar ROUTINE_NAME: bugsp ROUTINE_TYPE: PROCEDURE DTD_IDENTIFIER: NULL ROUTINE_BODY: SQL ROUTINE_DEFINITION: begin select 1+1; end EXTERNAL_NAME: NULL EXTERNAL_LANGUAGE: NULL PARAMETER_STYLE: SQL IS_DETERMINISTIC: NO SQL_DATA_ACCESS: CONTAINS SQL SQL_PATH: NULL SECURITY_TYPE: DEFINER CREATED: 2009-10-09 20:24:10 LAST_ALTERED: 2009-10-09 20:24:10 SQL_MODE: ROUTINE_COMMENT: DEFINER: foo1@localhost CHARACTER_SET_CLIENT: latin1 COLLATION_CONNECTION: latin1_swedish_ci DATABASE_COLLATION: latin1_swedish_ci 1 row in set (0.01 sec) mysql> select version(); +------------------+ | version() | +------------------+ | 5.5.0-beta-debug | +------------------+ 1 row in set (0.00 sec) mysql>
[19 Oct 2009 21:33]
Timothy Smith
This is a reasonable request to improve the privilege system in this area. Granting access to mysql.* system tables should be done for privileged users only; such access really should be limited to users with SUPER privilege; other users should get their information via INFORMATION_SCHEMA or SHOW statements.