← Back to team overview

ourdelta-developers team mailing list archive

  1. ourdelta-developers team
  2. Mailing list archive
  3. Message #00317

Re: [Bug 352840] Re: INNODB_BUFFER_POOL_CONTENT privacy issue

  Thread PreviousDate PreviousThread Next 
On Mon, Jul 20, 2009 at 4:20 PM, Vadim Tkachenko<vadim@xxxxxxxxxxx> wrote:
> ** Changed in: percona-patches
>   Importance: Undecided => Medium
>
> ** Changed in: percona-patches
>     Assignee: (unassigned) => Yasufumi Kinoshita (yasufumi-kinoshita)
>
> --
> INNODB_BUFFER_POOL_CONTENT privacy issue
> https://bugs.launchpad.net/bugs/352840
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in OurDelta - Builds for MySQL: Confirmed
> Status in Patches for MySQL by Percona: New
>
> Bug description:
> INNODB_BUFFER_POOL_CONTENT does not prune rows returned in terms of what databases/tables the requesting user has access to. In many environments it is unacceptable for user to have access to data about the names of all database and table that exist on the instance.
>
> I suggest that access to INNODB_BUFFER_POOL_CONTENT be restricted to user that have the SUPER privilege.
>


I finally got a bit more time to play with this and I believe I have
the desired behavior working:
mysql> show grants;
+--------------------------------------+
| Grants for @localhost                |
+--------------------------------------+
| GRANT USAGE ON *.* TO ''@'localhost' |
+--------------------------------------+
1 row in set (0.00 sec)

mysql> select * from information_schema.INNODB_BUFFER_POOL_CONTENT;
ERROR 1227 (42000): Access denied; you need the SUPER privilege for
this operation

The following was made with mysql-5.0.77-d8-ourdelta.tar.gz.

Index: sql/ha_innodb.cc
@@ -6692,6 +6692,9 @@

        TABLE *table= tables->table;

+        if (check_global_access(thd, SUPER_ACL)){
+               DBUG_RETURN(0);
+        }

        //buf_pool_dump();

I could probably get the behavior to be less restrictive if that would
be needed. Perhaps anyone with select on a table should be able to see
if it is the buffer pool? What does everyone think?


-- 
Rob Wultsch
wultsch@xxxxxxxxx

-- 
INNODB_BUFFER_POOL_CONTENT privacy issue
https://bugs.launchpad.net/bugs/352840
You received this bug notification because you are a member of OurDelta-
developers, which is the registrant for OurDelta.

Status in OurDelta - Builds for MySQL: Confirmed
Status in Patches for MySQL by Percona: New

Bug description:
INNODB_BUFFER_POOL_CONTENT does not prune rows returned in terms of what databases/tables the requesting user has access to. In many environments it is unacceptable for user to have access to data about the names of all database and table that exist on the instance.

I suggest that access to INNODB_BUFFER_POOL_CONTENT be restricted to user that have the SUPER privilege.

Follow ups

References

  Thread PreviousDate PreviousThread Next