maria-discuss team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Felipe!

On Feb 16, Felipe Gasper wrote:
> Hi all,
> 
> We have custom logic in place that “suspends” a MySQL user by:
> 
> - reversing the password hash
> - replacing the leading “*” with “-”
> 
> I have noticed that MySQL’s SHOW GRANTS reports these “suspended” 
> password hashes with the leading dash “fixed” to a leading asterisk.
> MariaDB 10, though, has SHOW GRANTS report the literal contents of 
> mysql.user.

Right. MySQL converts the password hash to binary on startup.
And in SHOW GRANTS it prints the asterisk and the hex value of the
binary password hash.

MariaDB always prints the original password value, as in the mysql.user
table.

> Is this behavior by design in MariaDB 10? Is it behavior that we can 
> depend on moving forward?

It was not intentional, but rather a side effect. But now I've added a
test to record this behavior, so it won't go away in the future.

There was also a bug in this area, but it's a bit difficult to trigger,
so most probably you shouldn't care (*). Anyway, I've fixed it in 10.0.17.

Regards,
Sergei

(*) if you're curious. If a user with such a suspended password creates
a procedure (which means he needs to keep an open connection from before
he was suspended), and he doesn't have execute rights for this procedure -
these rights are automatically granted to him. This automatic grant
was changing '-' to '*' (because it was restoring password from the
binary hash, as MySQL does).