Commit ef75db8c authored by evgen@sunlight.local's avatar evgen@sunlight.local

Bug#29908: A user can gain additional access through the ALTER VIEW.

Non-definer of a view was allowed to alter that view. Due to this the alterer
can elevate his access rights to access rights of the view definer and thus
modify data which he wasn't allowed to modify. A view defined with
SQL SECURITY INVOKER can't be used directly for access rights elevation.
But a user can first alter the view SQL code and then alter the view to 
SQL SECURITY DEFINER and thus elevate his access rights. Due to this
altering a view with SQL SECURITY INVOKER is also prohibited.

Now the mysql_create_view function allows ALTER VIEW only to the view
definer or a super user. 
parent 2e7306d5
...@@ -776,15 +776,59 @@ GRANT CREATE VIEW ON db26813.v2 TO u26813@localhost; ...@@ -776,15 +776,59 @@ GRANT CREATE VIEW ON db26813.v2 TO u26813@localhost;
GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813@localhost; GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813@localhost;
GRANT SELECT ON db26813.t1 TO u26813@localhost; GRANT SELECT ON db26813.t1 TO u26813@localhost;
ALTER VIEW v1 AS SELECT f2 FROM t1; ALTER VIEW v1 AS SELECT f2 FROM t1;
ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table 'v1' ERROR 42000: Access denied; you need the SUPER privilege for this operation
ALTER VIEW v2 AS SELECT f2 FROM t1; ALTER VIEW v2 AS SELECT f2 FROM t1;
ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2' ERROR 42000: Access denied; you need the SUPER privilege for this operation
ALTER VIEW v3 AS SELECT f2 FROM t1; ALTER VIEW v3 AS SELECT f2 FROM t1;
ERROR 42000: Access denied; you need the SUPER privilege for this operation
SHOW CREATE VIEW v3; SHOW CREATE VIEW v3;
View Create View View Create View
v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f2` AS `f2` from `t1` v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f1` AS `f1` from `t1`
DROP USER u26813@localhost; DROP USER u26813@localhost;
DROP DATABASE db26813; DROP DATABASE db26813;
#
# Bug#29908: A user can gain additional access through the ALTER VIEW.
#
CREATE DATABASE mysqltest_29908;
USE mysqltest_29908;
CREATE TABLE t1(f1 INT, f2 INT);
CREATE USER u29908_1@localhost;
CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1;
CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS
SELECT f1 FROM t1;
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost;
CREATE USER u29908_2@localhost;
GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
ALTER VIEW v1 AS SELECT f2 FROM t1;
ERROR 42000: Access denied; you need the SUPER privilege for this operation
ALTER VIEW v2 AS SELECT f2 FROM t1;
SHOW CREATE VIEW v2;
View Create View
v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1`
ALTER VIEW v1 AS SELECT f2 FROM t1;
SHOW CREATE VIEW v1;
View Create View
v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f2` AS `f2` from `t1`
ALTER VIEW v2 AS SELECT f1 FROM t1;
SHOW CREATE VIEW v2;
View Create View
v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1`
ALTER VIEW v1 AS SELECT f1 FROM t1;
SHOW CREATE VIEW v1;
View Create View
v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f1` AS `f1` from `t1`
ALTER VIEW v2 AS SELECT f2 FROM t1;
SHOW CREATE VIEW v2;
View Create View
v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1`
DROP USER u29908_1@localhost;
DROP USER u29908_2@localhost;
DROP DATABASE mysqltest_29908;
#######################################################################
DROP DATABASE IF EXISTS mysqltest1; DROP DATABASE IF EXISTS mysqltest1;
DROP DATABASE IF EXISTS mysqltest2; DROP DATABASE IF EXISTS mysqltest2;
CREATE DATABASE mysqltest1; CREATE DATABASE mysqltest1;
......
...@@ -1034,10 +1034,11 @@ GRANT SELECT ON db26813.t1 TO u26813@localhost; ...@@ -1034,10 +1034,11 @@ GRANT SELECT ON db26813.t1 TO u26813@localhost;
connect (u1,localhost,u26813,,db26813); connect (u1,localhost,u26813,,db26813);
connection u1; connection u1;
--error 1142 --error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER VIEW v1 AS SELECT f2 FROM t1; ALTER VIEW v1 AS SELECT f2 FROM t1;
--error 1142 --error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER VIEW v2 AS SELECT f2 FROM t1; ALTER VIEW v2 AS SELECT f2 FROM t1;
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER VIEW v3 AS SELECT f2 FROM t1; ALTER VIEW v3 AS SELECT f2 FROM t1;
connection root; connection root;
...@@ -1047,6 +1048,50 @@ DROP USER u26813@localhost; ...@@ -1047,6 +1048,50 @@ DROP USER u26813@localhost;
DROP DATABASE db26813; DROP DATABASE db26813;
disconnect u1; disconnect u1;
--echo #
--echo # Bug#29908: A user can gain additional access through the ALTER VIEW.
--echo #
connection root;
CREATE DATABASE mysqltest_29908;
USE mysqltest_29908;
CREATE TABLE t1(f1 INT, f2 INT);
CREATE USER u29908_1@localhost;
CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1;
CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS
SELECT f1 FROM t1;
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost;
CREATE USER u29908_2@localhost;
GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
connect (u2,localhost,u29908_2,,mysqltest_29908);
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER VIEW v1 AS SELECT f2 FROM t1;
ALTER VIEW v2 AS SELECT f2 FROM t1;
SHOW CREATE VIEW v2;
connect (u1,localhost,u29908_1,,mysqltest_29908);
ALTER VIEW v1 AS SELECT f2 FROM t1;
SHOW CREATE VIEW v1;
ALTER VIEW v2 AS SELECT f1 FROM t1;
SHOW CREATE VIEW v2;
connection root;
ALTER VIEW v1 AS SELECT f1 FROM t1;
SHOW CREATE VIEW v1;
ALTER VIEW v2 AS SELECT f2 FROM t1;
SHOW CREATE VIEW v2;
DROP USER u29908_1@localhost;
DROP USER u29908_2@localhost;
DROP DATABASE mysqltest_29908;
disconnect u1;
disconnect u2;
--echo #######################################################################
# #
# BUG#24040: Create View don't succed with "all privileges" on a database. # BUG#24040: Create View don't succed with "all privileges" on a database.
# #
......
...@@ -223,9 +223,6 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views, ...@@ -223,9 +223,6 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views,
{ {
LEX *lex= thd->lex; LEX *lex= thd->lex;
bool link_to_local; bool link_to_local;
#ifndef NO_EMBEDDED_ACCESS_CHECKS
bool definer_check_is_needed= mode != VIEW_ALTER || lex->definer;
#endif
/* first table in list is target VIEW name => cut off it */ /* first table in list is target VIEW name => cut off it */
TABLE_LIST *view= lex->unlink_first_table(&link_to_local); TABLE_LIST *view= lex->unlink_first_table(&link_to_local);
TABLE_LIST *tables= lex->query_tables; TABLE_LIST *tables= lex->query_tables;
...@@ -280,7 +277,7 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views, ...@@ -280,7 +277,7 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views,
- same as current user - same as current user
- current user has SUPER_ACL - current user has SUPER_ACL
*/ */
if (definer_check_is_needed && if (lex->definer &&
(strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 || (strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 ||
my_strcasecmp(system_charset_info, my_strcasecmp(system_charset_info,
lex->definer->host.str, lex->definer->host.str,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment