Bug #57061 User without privilege on routine can discover its existence.
Submitted: 28 Sep 2010 10:31 Modified: 16 Nov 2010 3:47
Reporter: Dmitry Lenev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.1.52-bzr, 5.5.7-bzr OS:Any
Assigned to: Dmitry Lenev CPU Architecture:Any

[28 Sep 2010 10:31] Dmitry Lenev
Description:
User which doesn't have any privileges on the routine or on mysql.proc table still is able to discover its existence. This is wrong as one should not know anything about a database object unless one has privileges on it.

How to repeat:
# Test case for mysqltest tool.
create database mysqltest;
create user mysqltest_1@localhost;
connect (user_a,localhost,mysqltest_1,,);
connection user_a;
drop function if exists mysqltest.f1;
# Succeeds! Returns:
# Warnings:
# Note    1305    FUNCTION f1 does not exist
drop procedure if exists mysqltest.p1;
# Succeeds!
# Warnings:
# Note    1305    PROCEDURE p1 does not exist
connection default;
create function mysqltest.f1() returns int return 0;
create procedure mysqltest.p1() begin end;

connection user_a;
--error 1370
drop function if exists mysqltest.f1;
# Fails with
# ERROR 42000: alter routine command denied to user 'mysqltest_1'@'localhost' for routine 'mysqltest.f1'
# Still user is able to figure out that function exists!
--error 1370
drop procedure if exists mysqltest.p1;
# Fails with
# ERROR 42000: alter routine command denied to user 'mysqltest_1'@'localhost' for routine 'mysqltest.p1'
# Still user can figure out that procedure exists.
[28 Sep 2010 12:41] MySQL Verification Team
Thank you for the bug report.
[28 Sep 2010 12:56] Peter Laursen
If this behavior is changed I request that error messages like 'doesn't exist' get replaced with something else ('no access for this user') *both* when denial is for lack of privileges to an existing object *and* when object does not exist.
[28 Sep 2010 16:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/119304

3146 Dmitry Lenev	2010-09-28
      Fix for bug#57061 "User without privilege on routine can 
      discover its existence".
      
      The problem was that user without any privileges on 
      routine was able to find out whether it existed or not.
      DROP FUNCTION and DROP PROCEDURE statements were 
      checking if routine being dropped existed and reported 
      ER_SP_DOES_NOT_EXIST error/warning before checking 
      if user had enough privileges to drop it.
      
      This patch solves this problem by changing code not to 
      check if routine exists before checking if user has enough 
      privileges to drop it. Moreover we no longer perform this 
      check using a separate call instead we rely on 
      sp_drop_routine() returning SP_KEY_NOT_FOUND if routine 
      doesn't exist.
      
      This change also simplifies one of upcoming patches
      refactoring global read lock implementation.
     @ mysql-test/r/grant.result
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence". Removed
        DROP PROCEDURE/FUNCTION statements which have started to
        fail after this fix (correctly). There is no need in
        dropping routines in freshly created database anyway.
     @ mysql-test/r/sp-security.result
        Added new test case for bug#57061 "User without privilege
        on routine can discover its existence". Updated existing
        tests according to new behaviour.
     @ mysql-test/suite/funcs_1/r/innodb_storedproc_06.result
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence".
        Now we drop routines under user which has enough
        privileges to do so.
     @ mysql-test/suite/funcs_1/r/memory_storedproc_06.result
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence".
        Now we drop routines under user which has enough
        privileges to do so.
     @ mysql-test/suite/funcs_1/r/myisam_storedproc_06.result
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence".
        Now we drop routines under user which has enough
        privileges to do so.
     @ mysql-test/suite/funcs_1/storedproc/storedproc_06.inc
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence".
        Now we drop routines under user which has enough
        privileges to do so.
     @ mysql-test/t/grant.test
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence". Removed
        DROP PROCEDURE/FUNCTION statements which have started to
        fail after this fix (correctly). There is no need in
        dropping routines in freshly created database anyway.
     @ mysql-test/t/sp-security.test
        Added new test case for bug#57061 "User without privilege
        on routine can discover its existence". Updated existing
        tests according to new behaviour.
     @ sql/sp.cc
        Removed sp_routine_exists_in_table() which is no longer
        used.
     @ sql/sp.h
        Removed sp_routine_exists_in_table() which is no longer
        used.
     @ sql/sql_parse.cc
        When dropping routine we no longer check if routine exists 
        before checking if user has enough privileges to do so. 
        Moreover we no longer perform this check using a separate 
        call instead we rely on sp_drop_routine() returning 
        SP_KEY_NOT_FOUND if routine doesn't exist.
[7 Oct 2010 16:02] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/120279

3159 Dmitry Lenev	2010-10-07
      Fix for bug#57061 "User without privilege on routine can 
      discover its existence".
      
      The problem was that user without any privileges on 
      routine was able to find out whether it existed or not.
      DROP FUNCTION and DROP PROCEDURE statements were 
      checking if routine being dropped existed and reported 
      ER_SP_DOES_NOT_EXIST error/warning before checking 
      if user had enough privileges to drop it.
      
      This patch solves this problem by changing code not to 
      check if routine exists before checking if user has enough 
      privileges to drop it. Moreover we no longer perform this 
      check using a separate call instead we rely on 
      sp_drop_routine() returning SP_KEY_NOT_FOUND if routine 
      doesn't exist.
      
      This change also simplifies one of upcoming patches
      refactoring global read lock implementation.
     @ mysql-test/r/grant.result
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence". Removed
        DROP PROCEDURE/FUNCTION statements which have started to
        fail after this fix (correctly). There is no need in
        dropping routines in freshly created database anyway.
     @ mysql-test/r/sp-security.result
        Added new test case for bug#57061 "User without privilege
        on routine can discover its existence". Updated existing
        tests according to new behaviour.
     @ mysql-test/suite/funcs_1/r/innodb_storedproc_06.result
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence".
        Now we drop routines under user which has enough
        privileges to do so.
     @ mysql-test/suite/funcs_1/r/memory_storedproc_06.result
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence".
        Now we drop routines under user which has enough
        privileges to do so.
     @ mysql-test/suite/funcs_1/r/myisam_storedproc_06.result
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence".
        Now we drop routines under user which has enough
        privileges to do so.
     @ mysql-test/suite/funcs_1/storedproc/storedproc_06.inc
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence".
        Now we drop routines under user which has enough
        privileges to do so.
     @ mysql-test/t/grant.test
        Updated test case after fixing bug#57061 "User without
        privilege on routine can discover its existence". Removed
        DROP PROCEDURE/FUNCTION statements which have started to
        fail after this fix (correctly). There is no need in
        dropping routines in freshly created database anyway.
     @ mysql-test/t/sp-security.test
        Added new test case for bug#57061 "User without privilege
        on routine can discover its existence". Updated existing
        tests according to new behaviour.
     @ sql/sp.cc
        Removed sp_routine_exists_in_table() which is no longer
        used.
     @ sql/sp.h
        Removed sp_routine_exists_in_table() which is no longer
        used.
     @ sql/sql_parse.cc
        When dropping routine we no longer check if routine exists 
        before checking if user has enough privileges to do so. 
        Moreover we no longer perform this check using a separate 
        call instead we rely on sp_drop_routine() returning 
        SP_KEY_NOT_FOUND if routine doesn't exist.
[8 Oct 2010 8:36] Dmitry Lenev
Fix for this bug was queued into mysql-5.5-runtime tree.
[13 Nov 2010 16:13] Bugs System
Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:alexander.nozdrin@oracle.com-20101113152450-2zzcm50e7i4j35v7) (merge vers: 5.6.1-m4) (pib:21)
[13 Nov 2010 16:37] Bugs System
Pushed into mysql-next-mr (revid:alexander.nozdrin@oracle.com-20101113160336-atmtmfb3mzm4pz4i) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (pib:21)
[16 Nov 2010 3:47] Paul Dubois
Noted in 5.5.7 changelog.

A user with no privileges on a stored routine or the mysql.proc table
could discover the routine's existence.
[16 Dec 2010 22:31] Bugs System
Pushed into mysql-5.5 5.5.9 (revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (version source revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (merge vers: 5.5.9) (pib:24)