Bug #51770 UNINSTALL PLUGIN requires no privileges
Submitted: 5 Mar 2010 16:14 Modified: 12 Jul 2010 8:30
Reporter: Paul Dubois Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:5.1+ OS:Any
Assigned to: Davi Arnaut CPU Architecture:Any
Triage: Triaged: D1 (Critical)

[5 Mar 2010 16:14] Paul Dubois
Description:
For INSTALL PLUGIN, sql_plugin.cc:mysql_install_plugin() indicates that the INSERT privilege on the mysql.plugins table is required:

  bzero(&tables, sizeof(tables));
  tables.db= (char *)"mysql";
  tables.table_name= tables.alias= (char *)"plugin";
  if (check_table_access(thd, INSERT_ACL, &tables, 1, FALSE))
    DBUG_RETURN(TRUE);

But for UNINSTALL PLUGIN, looking in the mysql_uninstall_plugin() function shows that there is no code at all for checking required privileges. This means that ANY user, even a user with no privileges, can uninstall ANY plugin. (At least plugins that are loaded dynamically.)

How to repeat:
Create a user with no privileges:

CREATE USER 'x'@'localhost';

Connect as that user and try UNINSTALL PLUGIN for some dynamic plugin. It will work.

Suggested fix:
I propose that some privilege should be required to uninstall plugins, perhaps the same privilege as for INSTALL PLUGIN.
[8 Mar 2010 21:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/102618

3375 Davi Arnaut	2010-03-08
      Bug#51770: UNINSTALL PLUGIN requires no privileges
      
      The problem was that UNINSTALL PLUGIN wasn't performing privilege
      checks before removing a plugin. Any user (including users without 
      any kind of privileges) could uninstall any plugin.
      
      The solution is to verify if the user has the DELETE privilege for
      the mysql.plugin table before uninstalling a plugin.
     @ mysql-test/r/plugin_not_embedded.result
        Add test case result for Bug#51770.
     @ mysql-test/t/plugin_not_embedded-master.opt
        Add example plugin path.
     @ mysql-test/t/plugin_not_embedded.test
        Add test case for Bug#51770.
        Skip embedded as test relies on privileges checks.
[9 Mar 2010 12:16] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/102693

3375 Davi Arnaut	2010-03-09
      Bug#51770: UNINSTALL PLUGIN requires no privileges
      
      The problem was that UNINSTALL PLUGIN wasn't performing privilege
      checks before removing a plugin. Any user (including users without 
      any kind of privileges) could uninstall any plugin.
      
      The solution is to verify if the user has the DELETE privilege for
      the mysql.plugin table before uninstalling a plugin.
     @ mysql-test/r/plugin_not_embedded.result
        Add test case result for Bug#51770.
     @ mysql-test/t/plugin_not_embedded-master.opt
        Add example plugin path.
     @ mysql-test/t/plugin_not_embedded.test
        Add test case for Bug#51770.
        Skip embedded as test relies on privileges checks.
[13 Mar 2010 21:25] Davi Arnaut
Queued to mysql-5.1-bugteam
[26 Mar 2010 8:21] Bugs System
Pushed into 5.5.4-m3 (revid:alik@sun.com-20100326080914-2pz8ns984e0spu03) (version source revid:alexey.kopytov@sun.com-20100320202342-3oapaq7r0t6qhexq) (merge vers: 5.5.3-m2) (pib:16)
[26 Mar 2010 8:25] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100326081116-m3v4l34yhr43mtsv) (version source revid:alik@sun.com-20100325072612-4sds00ix8ajo1e84) (pib:16)
[26 Mar 2010 8:30] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100326081944-qja07qklw1p2w7jb) (version source revid:alik@sun.com-20100325073410-4t4i9gu2u1pge7xb) (merge vers: 6.0.14-alpha) (pib:16)
[6 Apr 2010 7:56] Bugs System
Pushed into 5.1.46 (revid:sergey.glukhov@sun.com-20100405111026-7kz1p8qlzglqgfmu) (version source revid:davi.arnaut@sun.com-20100309121617-yyhxs2u2c2s0ykti) (merge vers: 5.1.46) (pib:16)
[14 Apr 2010 19:38] Paul Dubois
Noted in 5.1.46, 5.5.5, 6.0.14 changelogs.

Privilege checking for UNINSTALL PLUGIN was incorrect.
[11 May 2010 15:57] Paul Dubois
Added CVE-2010-1621 tag to changelog entry.
[17 Jun 2010 12:11] Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 12:58] Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:martin.skold@mysql.com-20100609211156-tsac5qhw951miwtt) (merge vers: 5.1.46-ndb-6.2.19) (pib:16)
[17 Jun 2010 13:38] Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)