maria-developers team mailing list archive

Thread
Date

Re: 784cc5970dd: MDEV-19650: Privilege bug on MariaDB 10.4

To: Oleksandr Byelkin <sanja@xxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Mon, 20 Apr 2020 16:04:19 +0200
Cc: maria-developers <maria-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CADYFmDSrTMJ=fURJcdbqbkTbdwdMbKQTYUDVgLr3aeuX+WW5uQ@mail.gmail.com>
User-agent: Mutt/1.10.1 (2018-07-13)

Hi, Oleksandr!

On Apr 20, Oleksandr Byelkin wrote:
> > Hi, Oleksandr!
> >
> > On Apr 20, Oleksandr Byelkin wrote:
> > > revision-id: 784cc5970dd (mariadb-10.4.11-68-g784cc5970dd)
> > > parent(s): c5e00fea102
> > > author: Oleksandr Byelkin <sanja@xxxxxxxxxxx>
> > > committer: Oleksandr Byelkin <sanja@xxxxxxxxxxx>
> > > timestamp: 2020-02-20 14:06:09 +0100
> > > message:
> > >
> > > MDEV-19650: Privilege bug on MariaDB 10.4
> > >
> > > diff --git a/scripts/mysql_system_tables.sql
> > > index 29f2a4c1ef6..af852444d0c 100644
> > > --- a/scripts/mysql_system_tables.sql
> > > +++ b/scripts/mysql_system_tables.sql
> > > @@ -33,9 +33,17 @@ CREATE TABLE IF NOT EXISTS db (   Host char(60)
> > binary DEFAULT '' NOT NULL, Db c
> > >  -- Remember for later if db table already existed
> > >  set @had_db_table= @@warning_count != 0;
> > >
> > > -CREATE TABLE IF NOT EXISTS global_priv (Host char(60) binary DEFAULT
> > '', User char(80) binary DEFAULT '', Priv JSON NOT NULL DEFAULT '{}'
> > CHECK(JSON_VALID(Priv)), PRIMARY KEY Host (Host,User)) engine=Aria
> > transactional=1 CHARACTER SET utf8 COLLATE utf8_bin comment='Users and
> > global privileges';
> > > +CREATE TABLE IF NOT EXISTS global_priv (Host char(60) binary DEFAULT
> > '', User char(80) binary DEFAULT '', Priv JSON NOT NULL DEFAULT '{}'
> > CHECK(JSON_VALID(Priv)), PRIMARY KEY (Host,User)) engine=Aria
> > transactional=1 CHARACTER SET utf8 COLLATE utf8_bin comment='Users and
> > global privileges';
> > >
> > > -CREATE DEFINER=root@localhost SQL SECURITY DEFINER VIEW IF NOT EXISTS
> > user AS SELECT
> > > +set @had_sys_user= @@warning_count != 0 OR 0 <> (select count(*) from
> > mysql.global_priv where Host="localhost" and User="mariadb.sys");
> > > +
> > > +CREATE TEMPORARY TABLE tmp_user_sys LIKE global_priv;
> > > +INSERT INTO tmp_user_sys (Host,User,Priv) VALUES
> > ('localhost','mariadb.sys','{"access":512,"plugin":"mysql_native_password","authentication_string":"","account_locked":true,"password_last_changed":0}');
> > > +INSERT INTO global_priv SELECT * FROM tmp_user_sys WHERE NOT
> > @had_sys_user;
> > > +DROP TABLE tmp_user_sys;
> >
> > 1. This could've been simply INSERT IGNORE, I suspect
> 
> Nope, the idea is do not insert more than needed.

Why would INSERT IGNORE insert more than needed?

> 2. why access:512 ? It's FILE_ACL, iirc.
> 
> Because LOAD used in tests and so in reality probably, so we need FILE_ACL

We need FILE_ACL, but why mariadb.sys account needs it?
mysql.user is a read-only view of the mysql.global_priv table,
its owner doesn't need FILE or INSERT/UPDATE/DELETE.

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx

References

Re: 784cc5970dd: MDEV-19650: Privilege bug on MariaDB 10.4
From: Sergei Golubchik, 2020-04-20