database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-01 03:47:19 +03:00
Code Activity

Fix for BUG#9412: Triggers: should have trigger privilege.

Browse Source 
Implement table-level TRIGGER privilege to control access to triggers.
Before this path global SUPER privilege was used for this purpose, that
was the big security problem.

In details, before this patch SUPER privilege was required:
  - for the user at CREATE TRIGGER time to create a new trigger;
  - for the user at DROP TRIGGER time to drop the existing trigger;
  - for the definer at trigger activation time to execute the trigger (if the
    definer loses SUPER privilege, all its triggers become unavailable);

This patch changes the behaviour in the following way:
  - TRIGGER privilege on the subject table for trigger is required:
    - for the user at CREATE TRIGGER time to create a new trigger;
    - for the user at DROP TRIGGER time to drop the existing trigger;
    - for the definer at trigger activation time to execute the trigger
      (if the definer loses TRIGGER privilege on the subject table, all its
      triggers on this table become unavailable).
  - SUPER privilege is still required:
    - for the user at CREATE TRIGGER time to explicitly set the trigger
      definer to the user other than CURRENT_USER().

When the server works with database of the previous version (w/o TRIGGER
privilege), or if the database is being upgraded from the previous versions,
TRIGGER privilege is granted to whose users, who have CREATE privilege.
This commit is contained in:
anozdrin@mysql.com
2006-02-01 13:28:45 +03:00
parent f90661e443
commit 0a1f7e921b
16 changed files with 289 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
mysql-test/r/trigger-grant.result
View File

@ -7,12 +7,57 @@ DROP DATABASE IF EXISTS mysqltest_db1;
CREATE DATABASE mysqltest_db1;
CREATE USER mysqltest_dfn@localhost;
CREATE USER mysqltest_inv@localhost;
GRANT SUPER ON *.* TO mysqltest_dfn@localhost;
GRANT CREATE ON mysqltest_db1.* TO mysqltest_dfn@localhost;
---> connection: wl2818_definer_con
CREATE TABLE t1(num_value INT);
CREATE TABLE t2(user_str TEXT);
---> connection: default
GRANT INSERT, DELETE ON mysqltest_db1.t1 TO mysqltest_dfn@localhost;
GRANT INSERT, DELETE ON mysqltest_db1.t2 TO mysqltest_dfn@localhost;
---> connection: default
GRANT SUPER ON *.* TO mysqltest_dfn@localhost;
---> connection: wl2818_definer_con
CREATE TRIGGER trg1 AFTER INSERT ON t1
FOR EACH ROW
INSERT INTO t2 VALUES(CURRENT_USER());
ERROR 42000: TRIGGER command denied to user 'mysqltest_dfn'@'localhost' for table 't1'
---> connection: default
GRANT TRIGGER ON mysqltest_db1.t1 TO mysqltest_dfn@localhost;
---> connection: wl2818_definer_con
CREATE TRIGGER trg1 AFTER INSERT ON t1
FOR EACH ROW
INSERT INTO t2 VALUES(CURRENT_USER());
---> connection: default
REVOKE TRIGGER ON mysqltest_db1.t1 FROM mysqltest_dfn@localhost;
---> connection: wl2818_definer_con
DROP TRIGGER trg1;
ERROR 42000: TRIGGER command denied to user 'mysqltest_dfn'@'localhost' for table 't1'
---> connection: wl2818_definer_con
INSERT INTO t1 VALUES(0);
ERROR 42000: TRIGGER command denied to user 'mysqltest_dfn'@'localhost' for table 't1'
---> connection: default
GRANT TRIGGER ON mysqltest_db1.t1 TO mysqltest_dfn@localhost;
---> connection: wl2818_definer_con
INSERT INTO t1 VALUES(0);
DROP TRIGGER trg1;
DELETE FROM t1;
DELETE FROM t2;
---> connection: default
REVOKE SUPER ON *.* FROM mysqltest_dfn@localhost;
---> connection: wl2818_definer_con
CREATE TRIGGER trg1 AFTER INSERT ON t1
FOR EACH ROW
INSERT INTO t2 VALUES(CURRENT_USER());
@ -175,6 +220,17 @@ CREATE DEFINER='mysqltest_inv'@'localhost'
TRIGGER trg1 BEFORE INSERT ON t1
FOR EACH ROW
SET @new_sum = 0;
ERROR 42000: Access denied; you need the SUPER privilege for this operation
---> connection: default
use mysqltest_db1;
GRANT SUPER ON *.* TO mysqltest_dfn@localhost;
---> connection: wl2818_definer_con
CREATE DEFINER='mysqltest_inv'@'localhost'
TRIGGER trg1 BEFORE INSERT ON t1
FOR EACH ROW
SET @new_sum = 0;
CREATE DEFINER='mysqltest_nonexs'@'localhost'
TRIGGER trg2 AFTER INSERT ON t1
FOR EACH ROW
@ -182,7 +238,6 @@ SET @new_sum = 0;
Warnings:
Note 1449 There is no 'mysqltest_nonexs'@'localhost' registered
INSERT INTO t1 VALUES(6);
ERROR 42000: Access denied; you need the SUPER privilege for this operation
SHOW TRIGGERS;
Trigger Event Table Statement Timing Created sql_mode Definer
trg1 INSERT t1 SET @new_sum = 0 BEFORE NULL mysqltest_inv@localhost