BUG#7391 - Cross-database multi-table UPDATE uses active database

privileges This problem is 4.1 specific. It doesn't affect 4.0 and was fixed in 5.x before. Having any mysql user who is allowed to issue multi table update statement and any column/table grants, allows this user to update any table on a server (mysql grant tables are not exception). check_grant() accepts number of tables (in table list) to be checked in 5-th param. While checking grants for multi table update, number of tables must be 1. It must never be 0 (actually we have DBUG_ASSERT(number > 0) in 5.x in grant_check() function).

BUG#7391 - Cross-database multi-table UPDATE uses active database
privileges This problem is 4.1 specific. It doesn't affect 4.0 and was fixed in 5.x before. Having any mysql user who is allowed to issue multi table update statement and any column/table grants, allows this user to update any table on a server (mysql grant tables are not exception). check_grant() accepts number of tables (in table list) to be checked in 5-th param. While checking grants for multi table update, number of tables must be 1. It must never be 0 (actually we have DBUG_ASSERT(number > 0) in 5.x in grant_check() function).
67db270c · svoj@may.pils.ru · 4e845ccc · 67db270c · 67db270c · 67db270c
Commit 67db270c authored Aug 03, 2006 by svoj@may.pils.ru
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 9 deletions

mysql-test/r/grant.result mysql-test/r/grant.result +5 -4

mysql-test/t/grant.test mysql-test/t/grant.test +6 -4

sql/sql_update.cc sql/sql_update.cc +1 -1

No files found.
--- a/mysql-test/r/grant.result
+++ b/mysql-test/r/grant.result
@@ -383,7 +383,7 @@ GRANT SELECT (c) ON `mysqltest_2`.`t1` TO 'mysqltest_3'@'localhost'
 update mysqltest_1.t1, mysqltest_1.t2 set q=10 where b=1;
 ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for column 'q' in table 't1'
 update mysqltest_1.t1, mysqltest_2.t2 set d=20 where d=1;
-ERROR 42000: SELECT command denied to user 'mysqltest_3'@'localhost' for column 'd' in table 't2'
+ERROR 42000: SELECT command denied to user 'mysqltest_3'@'localhost' for table 't1'
 update mysqltest_2.t1, mysqltest_1.t2 set c=20 where b=1;
 ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for column 'c' in table 't1'
 update mysqltest_2.t1, mysqltest_2.t2 set d=10 where s=2;
@@ -402,6 +402,7 @@ revoke all on mysqltest_2.t1 from mysqltest_3@localhost;
 revoke all on mysqltest_2.t2 from mysqltest_3@localhost;
 grant all on mysqltest_2.* to mysqltest_3@localhost;
 grant select on *.* to mysqltest_3@localhost;
+grant select on mysqltest_2.t1 to mysqltest_3@localhost;
 flush privileges;
 use mysqltest_1;
 update mysqltest_2.t1, mysqltest_2.t2 set c=500,d=600;
@@ -409,11 +410,11 @@ update mysqltest_1.t1, mysqltest_1.t2 set a=100,b=200;
 ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for column 'a' in table 't1'
 use mysqltest_2;
 update mysqltest_1.t1, mysqltest_1.t2 set a=100,b=200;
-ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysqltest_1'
+ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for table 't1'
 update mysqltest_2.t1, mysqltest_1.t2 set c=100,b=200;
-ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysqltest_1'
+ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for table 't2'
 update mysqltest_1.t1, mysqltest_2.t2 set a=100,d=200;
-ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysqltest_1'
+ERROR 42000: UPDATE command denied to user 'mysqltest_3'@'localhost' for table 't1'
 select t1.*,t2.* from mysqltest_1.t1,mysqltest_1.t2;
 a	q	b	r
 10	2	1	2

--- a/mysql-test/t/grant.test
+++ b/mysql-test/t/grant.test
@@ -323,7 +323,7 @@ connection conn1;
 show grants for mysqltest_3@localhost;
 --error 1143
 update mysqltest_1.t1, mysqltest_1.t2 set q=10 where b=1;
--error 1143
+--error 1142
 update mysqltest_1.t1, mysqltest_2.t2 set d=20 where d=1;
 --error 1143
 update mysqltest_2.t1, mysqltest_1.t2 set c=20 where b=1;
@@ -343,6 +343,8 @@ revoke all on mysqltest_2.t2 from mysqltest_3@localhost;
 #test the db/table level privileges
 grant all on mysqltest_2.* to mysqltest_3@localhost;
 grant select on *.* to mysqltest_3@localhost;
+# Next grant is needed to trigger bug#7391. Do not optimize!
+grant select on mysqltest_2.t1 to mysqltest_3@localhost;
 flush privileges;
 disconnect conn1;
 connect (conn2,localhost,mysqltest_3,,);
@@ -354,11 +356,11 @@ update mysqltest_2.t1, mysqltest_2.t2 set c=500,d=600;
 update mysqltest_1.t1, mysqltest_1.t2 set a=100,b=200;
 use mysqltest_2;
 #the following used to succeed, it must fail now.
--error 1044
+--error 1142
 update mysqltest_1.t1, mysqltest_1.t2 set a=100,b=200;
--error 1044
+--error 1142
 update mysqltest_2.t1, mysqltest_1.t2 set c=100,b=200;
--error 1044
+--error 1142
 update mysqltest_1.t1, mysqltest_2.t2 set a=100,d=200;
 #lets see the result
 connection master;

--- a/sql/sql_update.cc
+++ b/sql/sql_update.cc
@@ -628,7 +628,7 @@ int mysql_multi_update_lock(THD *thd,
        if (!using_lock_tables)
 	  tl->table->reginfo.lock_type= tl->lock_type;
        if (check_access(thd, wants, tl->db, &tl->grant.privilege, 0, 0) ||
-            (grant_option && check_grant(thd, wants, tl, 0, 0, 0)))
+            (grant_option && check_grant(thd, wants, tl, 0, 1, 0)))
        {
          tl->next= save;
          DBUG_RETURN(1);