maria-developers team mailing list archive

Thread
Date

Re: When SP DEFINER is empty.

To: Alexey Botchkov <holyfoot@xxxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Sat, 25 Jun 2016 13:45:41 +0200
Cc: maria-developers@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4da35281-f7cd-50e5-78f3-0315222d65ca@askmonty.org>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi, Alexey!

I think, specify a non-empty DEFINER explicitly.

Doesn't matter which one, it's mysql_install_db, so there are few
definers that are guaranteed to exist (as they are created by
mysql_install_db itself), use one of those, for example, root@localhost.

Those procedures are SQL SECURITY INVOKER anyway.

On Jun 25, Alexey Botchkov wrote:
> 
> I'm in doubts about how this one should be fixed:
> 
> https://jira.mariadb.org/browse/MDEV-10119
> 
> The story goes like this:
> 
> -  mysql_install_db script runs 'mysqld --skip-grant-tables'
> 
>      In this case the 'current_user()' seems to be empty.
> 
> - so the CREATE PROCEDURE command in the bootstrap creates the procedure 
> with the empty DEFINER.
> 
> - as a result, the 'SHOW CREATE PROCEDURE' returns query started with
> 
>       'CREATE DEFINER=`` PROCEDURE...',
> 
> - that DEFINER=`` gives an error when feed to the server.
> 
> That can be fixed on any stage. We can do any of these:
> 
> - set some 'current_user()' to be not empty even with the 
> --skip-grant-tables option
> 
> - specify some non-empty DEFINER for the CREATE PROCEDURE statement
> 
>      (in both options it's not that clear what user could that be)
> 
> - fix the SHOW CREATE PROCEDURE statement so it doesn't add the 
> errorneous DEFINER=`` to the query.
> 
> - make server handling the 'DEFINER=``' with no error. Maybe assigning 
> the 'current_user()' in this case.
> 
> So, what can You recommend as a fix in this case?
> 
> Best regards.
> HF

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

When SP DEFINER is empty.
From: Alexey Botchkov, 2016-06-25