diff --git a/client/mysqlbinlog.cc b/client/mysqlbinlog.cc index 2a070d14f0d..1ab90e0eb6d 100644 --- a/client/mysqlbinlog.cc +++ b/client/mysqlbinlog.cc @@ -1042,7 +1042,7 @@ static int dump_remote_log_entries(PRINT_EVENT_INFO *print_event_info, uint logname_len; NET* net; int error= 0; - my_off_t old_off= start_position_mot; + my_off_t old_off= min(start_position_mot, BIN_LOG_HEADER_SIZE); char fname[FN_REFLEN+1]; DBUG_ENTER("dump_remote_log_entries"); @@ -1194,10 +1194,17 @@ could be out of memory"); } } /* - Let's adjust offset for remote log as for local log to produce - similar text. + Let's adjust offset for remote log as for local log to produce + similar text and to have --stop-position to work identically. + + Exception - the server sends Format_description_log_event + in the beginning of the dump, and only after it the event from + start_position. Let the old_off reflect it. */ - old_off+= len-1; + if (old_off < start_position_mot) + old_off= start_position_mot; + else + old_off+= len-1; } err: diff --git a/mysql-test/r/grant.result b/mysql-test/r/grant.result index d63e4181026..73d5bf94264 100644 --- a/mysql-test/r/grant.result +++ b/mysql-test/r/grant.result @@ -972,4 +972,51 @@ REVOKE EXECUTE ON PROCEDURE t1 FROM some_user_name@1234567890abcdefghij123456789 ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60) GRANT PROCESS ON * TO user@localhost; ERROR 3D000: No database selected +DROP DATABASE IF EXISTS mysqltest1; +DROP DATABASE IF EXISTS mysqltest2; +DROP DATABASE IF EXISTS mysqltest3; +DROP DATABASE IF EXISTS mysqltest4; +CREATE DATABASE mysqltest1; +CREATE DATABASE mysqltest2; +CREATE DATABASE mysqltest3; +CREATE DATABASE mysqltest4; +CREATE PROCEDURE mysqltest1.p_def() SQL SECURITY DEFINER +SELECT 1; +CREATE PROCEDURE mysqltest2.p_inv() SQL SECURITY INVOKER +SELECT 1; +CREATE FUNCTION mysqltest3.f_def() RETURNS INT SQL SECURITY DEFINER +RETURN 1; +CREATE FUNCTION mysqltest4.f_inv() RETURNS INT SQL SECURITY INVOKER +RETURN 1; +GRANT EXECUTE ON PROCEDURE mysqltest1.p_def TO mysqltest_1@localhost; +GRANT EXECUTE ON PROCEDURE mysqltest2.p_inv TO mysqltest_1@localhost; +GRANT EXECUTE ON FUNCTION mysqltest3.f_def TO mysqltest_1@localhost; +GRANT EXECUTE ON FUNCTION mysqltest4.f_inv TO mysqltest_1@localhost; +GRANT ALL PRIVILEGES ON test.* TO mysqltest_1@localhost; + +---> connection: bug9504_con1 +use mysqltest1; +use mysqltest2; +use mysqltest3; +use mysqltest4; +use test; +CALL mysqltest1.p_def(); +1 +1 +CALL mysqltest2.p_inv(); +1 +1 +SELECT mysqltest3.f_def(); +mysqltest3.f_def() +1 +SELECT mysqltest4.f_inv(); +mysqltest4.f_inv() +1 + +---> connection: default +DROP DATABASE mysqltest1; +DROP DATABASE mysqltest2; +DROP DATABASE mysqltest3; +DROP DATABASE mysqltest4; +DROP USER mysqltest_1@localhost; End of 5.0 tests diff --git a/mysql-test/r/mysqlbinlog2.result b/mysql-test/r/mysqlbinlog2.result index 51ca19654c7..03b0e16d32a 100644 --- a/mysql-test/r/mysqlbinlog2.result +++ b/mysql-test/r/mysqlbinlog2.result @@ -122,6 +122,24 @@ DELIMITER ; ROLLBACK /* added by mysqlbinlog */; /*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/; +--- start and stop positions --- +/*!40019 SET @@session.max_insert_delayed_threads=0*/; +/*!50003 SET @OLD_COMPLETION_TYPE=@@COMPLETION_TYPE,COMPLETION_TYPE=0*/; +DELIMITER /*!*/; +SET INSERT_ID=4/*!*/; +use test/*!*/; +SET TIMESTAMP=1579609946/*!*/; +SET @@session.foreign_key_checks=1, @@session.sql_auto_is_null=1, @@session.unique_checks=1/*!*/; +SET @@session.sql_mode=0/*!*/; +/*!\C latin1 *//*!*/; +SET @@session.character_set_client=8,@@session.collation_connection=8,@@session.collation_server=8/*!*/; +insert into t1 values(null, "d")/*!*/; +SET INSERT_ID=5/*!*/; +DELIMITER ; +# End of log file +ROLLBACK /* added by mysqlbinlog */; +/*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/; + --- start-datetime -- /*!40019 SET @@session.max_insert_delayed_threads=0*/; /*!50003 SET @OLD_COMPLETION_TYPE=@@COMPLETION_TYPE,COMPLETION_TYPE=0*/; @@ -481,6 +499,24 @@ DELIMITER ; ROLLBACK /* added by mysqlbinlog */; /*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/; +--- start and stop positions --- +/*!40019 SET @@session.max_insert_delayed_threads=0*/; +/*!50003 SET @OLD_COMPLETION_TYPE=@@COMPLETION_TYPE,COMPLETION_TYPE=0*/; +DELIMITER /*!*/; +SET INSERT_ID=4/*!*/; +use test/*!*/; +SET TIMESTAMP=1579609946/*!*/; +SET @@session.foreign_key_checks=1, @@session.sql_auto_is_null=1, @@session.unique_checks=1/*!*/; +SET @@session.sql_mode=0/*!*/; +/*!\C latin1 *//*!*/; +SET @@session.character_set_client=8,@@session.collation_connection=8,@@session.collation_server=8/*!*/; +insert into t1 values(null, "d")/*!*/; +SET INSERT_ID=5/*!*/; +DELIMITER ; +# End of log file +ROLLBACK /* added by mysqlbinlog */; +/*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/; + --- start-datetime -- /*!40019 SET @@session.max_insert_delayed_threads=0*/; /*!50003 SET @OLD_COMPLETION_TYPE=@@COMPLETION_TYPE,COMPLETION_TYPE=0*/; diff --git a/mysql-test/r/sp-security.result b/mysql-test/r/sp-security.result index 26b3f352a1f..8462bafe0e3 100644 --- a/mysql-test/r/sp-security.result +++ b/mysql-test/r/sp-security.result @@ -8,22 +8,29 @@ create procedure db1_secret.dummy() begin end; drop procedure db1_secret.dummy; use db1_secret; create table t1 ( u varchar(64), i int ); +insert into t1 values('test', 0); create procedure stamp(i int) insert into db1_secret.t1 values (user(), i); show procedure status like 'stamp'; Db Name Type Definer Modified Created Security_type Comment db1_secret stamp PROCEDURE root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 DEFINER -create function db() returns varchar(64) return database(); +create function db() returns varchar(64) +begin +declare v varchar(64); +select u into v from t1 limit 1; +return v; +end| show function status like 'db'; Db Name Type Definer Modified Created Security_type Comment db1_secret db FUNCTION root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 DEFINER call stamp(1); select * from t1; u i +test 0 root@localhost 1 select db(); db() -db1_secret +test grant execute on procedure db1_secret.stamp to user1@'%'; grant execute on function db1_secret.db to user1@'%'; grant execute on procedure db1_secret.stamp to ''@'%'; @@ -31,25 +38,34 @@ grant execute on function db1_secret.db to ''@'%'; call db1_secret.stamp(2); select db1_secret.db(); db1_secret.db() -db1_secret +test select * from db1_secret.t1; ERROR 42000: SELECT command denied to user 'user1'@'localhost' for table 't1' create procedure db1_secret.dummy() begin end; ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret' drop procedure db1_secret.dummy; ERROR 42000: PROCEDURE db1_secret.dummy does not exist +drop procedure db1_secret.stamp; +ERROR 42000: alter routine command denied to user 'user1'@'localhost' for routine 'db1_secret.stamp' +drop function db1_secret.db; +ERROR 42000: alter routine command denied to user 'user1'@'localhost' for routine 'db1_secret.db' call db1_secret.stamp(3); select db1_secret.db(); db1_secret.db() -db1_secret +test select * from db1_secret.t1; ERROR 42000: SELECT command denied to user ''@'localhost' for table 't1' create procedure db1_secret.dummy() begin end; ERROR 42000: Access denied for user ''@'%' to database 'db1_secret' drop procedure db1_secret.dummy; ERROR 42000: PROCEDURE db1_secret.dummy does not exist +drop procedure db1_secret.stamp; +ERROR 42000: alter routine command denied to user ''@'%' for routine 'db1_secret.stamp' +drop function db1_secret.db; +ERROR 42000: alter routine command denied to user ''@'%' for routine 'db1_secret.db' select * from t1; u i +test 0 root@localhost 1 user1@localhost 2 anon@localhost 3 @@ -64,21 +80,22 @@ db1_secret db FUNCTION root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 IN call stamp(4); select * from t1; u i +test 0 root@localhost 1 user1@localhost 2 anon@localhost 3 root@localhost 4 select db(); db() -db1_secret +test call db1_secret.stamp(5); -ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret' +ERROR 42000: INSERT command denied to user 'user1'@'localhost' for table 't1' select db1_secret.db(); -ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret' +ERROR 42000: SELECT command denied to user 'user1'@'localhost' for table 't1' call db1_secret.stamp(6); -ERROR 42000: Access denied for user ''@'%' to database 'db1_secret' +ERROR 42000: INSERT command denied to user ''@'localhost' for table 't1' select db1_secret.db(); -ERROR 42000: Access denied for user ''@'%' to database 'db1_secret' +ERROR 42000: SELECT command denied to user ''@'localhost' for table 't1' drop database if exists db2; create database db2; use db2; diff --git a/mysql-test/r/view_grant.result b/mysql-test/r/view_grant.result index 6fec52896c9..32dffa305e5 100644 --- a/mysql-test/r/view_grant.result +++ b/mysql-test/r/view_grant.result @@ -282,15 +282,6 @@ create view mysqltest.v3 as select b from mysqltest.t2; grant create view, update on mysqltest.v3 to mysqltest_1@localhost; drop view mysqltest.v3; create view mysqltest.v3 as select b from mysqltest.t2; -grant create view, update, insert on mysqltest.v3 to mysqltest_1@localhost; -drop view mysqltest.v3; -create view mysqltest.v3 as select b from mysqltest.t2; -ERROR 42000: create view command denied to user 'mysqltest_1'@'localhost' for column 'b' in table 'v3' -create table mysqltest.v3 (b int); -grant select(b) on mysqltest.v3 to mysqltest_1@localhost; -drop table mysqltest.v3; -create view mysqltest.v3 as select b from mysqltest.t2; -ERROR 42000: create view command denied to user 'mysqltest_1'@'localhost' for column 'b' in table 'v3' create view v4 as select b+1 from mysqltest.t2; ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for column 'b' in table 't2' grant create view,update,select on test.* to mysqltest_1@localhost; @@ -794,4 +785,92 @@ View Create View v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f2` AS `f2` from `t1` DROP USER u26813@localhost; DROP DATABASE db26813; +DROP DATABASE IF EXISTS mysqltest1; +DROP DATABASE IF EXISTS mysqltest2; +CREATE DATABASE mysqltest1; +CREATE DATABASE mysqltest2; +CREATE TABLE mysqltest1.t1(c1 INT); +CREATE TABLE mysqltest1.t2(c2 INT); +CREATE TABLE mysqltest1.t3(c3 INT); +CREATE TABLE mysqltest1.t4(c4 INT); +INSERT INTO mysqltest1.t1 VALUES (11), (12), (13), (14); +INSERT INTO mysqltest1.t2 VALUES (21), (22), (23), (24); +INSERT INTO mysqltest1.t3 VALUES (31), (32), (33), (34); +INSERT INTO mysqltest1.t4 VALUES (41), (42), (43), (44); +GRANT SELECT ON mysqltest1.t1 TO mysqltest_u1@localhost; +GRANT INSERT ON mysqltest1.t2 TO mysqltest_u1@localhost; +GRANT SELECT, UPDATE ON mysqltest1.t3 TO mysqltest_u1@localhost; +GRANT SELECT, DELETE ON mysqltest1.t4 TO mysqltest_u1@localhost; +GRANT ALL PRIVILEGES ON mysqltest2.* TO mysqltest_u1@localhost; + +---> connection: bug24040_con +SELECT * FROM mysqltest1.t1; +c1 +11 +12 +13 +14 +INSERT INTO mysqltest1.t2 VALUES(25); +UPDATE mysqltest1.t3 SET c3 = 331 WHERE c3 = 31; +DELETE FROM mysqltest1.t4 WHERE c4 = 44; +CREATE VIEW v1 AS SELECT * FROM mysqltest1.t1; +CREATE VIEW v2 AS SELECT * FROM mysqltest1.t2; +CREATE VIEW v3 AS SELECT * FROM mysqltest1.t3; +CREATE VIEW v4 AS SELECT * FROM mysqltest1.t4; +SELECT * FROM v1; +c1 +11 +12 +13 +14 +INSERT INTO v2 VALUES(26); +UPDATE v3 SET c3 = 332 WHERE c3 = 32; +DELETE FROM v4 WHERE c4 = 43; +CREATE VIEW v12 AS SELECT c1, c2 FROM mysqltest1.t1, mysqltest1.t2; +ERROR 42000: create view command denied to user 'mysqltest_u1'@'localhost' for column 'c2' in table 'v12' +CREATE VIEW v13 AS SELECT c1, c3 FROM mysqltest1.t1, mysqltest1.t3; +CREATE VIEW v14 AS SELECT c1, c4 FROM mysqltest1.t1, mysqltest1.t4; +CREATE VIEW v21 AS SELECT c2, c1 FROM mysqltest1.t2, mysqltest1.t1; +ERROR 42000: create view command denied to user 'mysqltest_u1'@'localhost' for column 'c1' in table 'v21' +CREATE VIEW v23 AS SELECT c2, c3 FROM mysqltest1.t2, mysqltest1.t3; +ERROR 42000: create view command denied to user 'mysqltest_u1'@'localhost' for column 'c3' in table 'v23' +CREATE VIEW v24 AS SELECT c2, c4 FROM mysqltest1.t2, mysqltest1.t4; +ERROR 42000: create view command denied to user 'mysqltest_u1'@'localhost' for column 'c4' in table 'v24' +CREATE VIEW v31 AS SELECT c3, c1 FROM mysqltest1.t3, mysqltest1.t1; +CREATE VIEW v32 AS SELECT c3, c2 FROM mysqltest1.t3, mysqltest1.t2; +ERROR 42000: create view command denied to user 'mysqltest_u1'@'localhost' for column 'c2' in table 'v32' +CREATE VIEW v34 AS SELECT c3, c4 FROM mysqltest1.t3, mysqltest1.t4; +CREATE VIEW v41 AS SELECT c4, c1 FROM mysqltest1.t4, mysqltest1.t1; +CREATE VIEW v42 AS SELECT c4, c2 FROM mysqltest1.t4, mysqltest1.t2; +ERROR 42000: create view command denied to user 'mysqltest_u1'@'localhost' for column 'c2' in table 'v42' +CREATE VIEW v43 AS SELECT c4, c3 FROM mysqltest1.t4, mysqltest1.t3; + +---> connection: default +SELECT * FROM mysqltest1.t1; +c1 +11 +12 +13 +14 +SELECT * FROM mysqltest1.t2; +c2 +21 +22 +23 +24 +25 +26 +SELECT * FROM mysqltest1.t3; +c3 +331 +332 +33 +34 +SELECT * FROM mysqltest1.t4; +c4 +41 +42 +DROP DATABASE mysqltest1; +DROP DATABASE mysqltest2; +DROP USER mysqltest_u1@localhost; End of 5.0 tests. diff --git a/mysql-test/t/grant.test b/mysql-test/t/grant.test index 82bf011d32f..92ed69d3f4b 100644 --- a/mysql-test/t/grant.test +++ b/mysql-test/t/grant.test @@ -875,4 +875,87 @@ GRANT PROCESS ON * TO user@localhost; disconnect con1; connection default; + +# +# BUG#9504: Stored procedures: execute privilege doesn't make 'use database' +# okay. +# + +# Prepare. + +--disable_warnings +DROP DATABASE IF EXISTS mysqltest1; +DROP DATABASE IF EXISTS mysqltest2; +DROP DATABASE IF EXISTS mysqltest3; +DROP DATABASE IF EXISTS mysqltest4; +--enable_warnings + +CREATE DATABASE mysqltest1; +CREATE DATABASE mysqltest2; +CREATE DATABASE mysqltest3; +CREATE DATABASE mysqltest4; + +CREATE PROCEDURE mysqltest1.p_def() SQL SECURITY DEFINER + SELECT 1; + +CREATE PROCEDURE mysqltest2.p_inv() SQL SECURITY INVOKER + SELECT 1; + +CREATE FUNCTION mysqltest3.f_def() RETURNS INT SQL SECURITY DEFINER + RETURN 1; + +CREATE FUNCTION mysqltest4.f_inv() RETURNS INT SQL SECURITY INVOKER + RETURN 1; + +GRANT EXECUTE ON PROCEDURE mysqltest1.p_def TO mysqltest_1@localhost; +GRANT EXECUTE ON PROCEDURE mysqltest2.p_inv TO mysqltest_1@localhost; +GRANT EXECUTE ON FUNCTION mysqltest3.f_def TO mysqltest_1@localhost; +GRANT EXECUTE ON FUNCTION mysqltest4.f_inv TO mysqltest_1@localhost; + +GRANT ALL PRIVILEGES ON test.* TO mysqltest_1@localhost; + +# Test. + +--connect (bug9504_con1,localhost,mysqltest_1,,) +--echo +--echo ---> connection: bug9504_con1 + +# - Check that we can switch to the db; + +use mysqltest1; + +use mysqltest2; + +use mysqltest3; + +use mysqltest4; + +# - Check that we can call stored routines; + +use test; + +CALL mysqltest1.p_def(); + +CALL mysqltest2.p_inv(); + +SELECT mysqltest3.f_def(); + +SELECT mysqltest4.f_inv(); + +# Cleanup. + +--connection default +--echo +--echo ---> connection: default + +--disconnect bug9504_con1 + +DROP DATABASE mysqltest1; +DROP DATABASE mysqltest2; +DROP DATABASE mysqltest3; +DROP DATABASE mysqltest4; + +DROP USER mysqltest_1@localhost; + + --echo End of 5.0 tests diff --git a/mysql-test/t/mysqlbinlog2.test b/mysql-test/t/mysqlbinlog2.test index 6afae538f04..14b213cd9cc 100644 --- a/mysql-test/t/mysqlbinlog2.test +++ b/mysql-test/t/mysqlbinlog2.test @@ -55,6 +55,10 @@ select "--- stop-position --" as ""; --enable_query_log --exec $MYSQL_BINLOG --short-form --stop-position=600 $MYSQLTEST_VARDIR/log/master-bin.000001 --disable_query_log +select "--- start and stop positions ---" as ""; +--enable_query_log +--exec $MYSQL_BINLOG --short-form --start-position=600 --stop-position 725 $MYSQLTEST_VARDIR/log/master-bin.000001 +--disable_query_log select "--- start-datetime --" as ""; --enable_query_log --exec $MYSQL_BINLOG --short-form "--start-datetime=2020-01-21 15:32:24" $MYSQLTEST_VARDIR/log/master-bin.000001 @@ -111,6 +115,10 @@ select "--- stop-position --" as ""; --enable_query_log --exec $MYSQL_BINLOG --short-form --stop-position=600 --read-from-remote-server --user=root --host=127.0.0.1 --port=$MASTER_MYPORT master-bin.000001 --disable_query_log +select "--- start and stop positions ---" as ""; +--enable_query_log +--exec $MYSQL_BINLOG --short-form --start-position=600 --stop-position 725 --read-from-remote-server --user=root --host=127.0.0.1 --port=$MASTER_MYPORT master-bin.000001 +--disable_query_log select "--- start-datetime --" as ""; --enable_query_log --exec $MYSQL_BINLOG --short-form "--start-datetime=2020-01-21 15:32:24" --read-from-remote-server --user=root --host=127.0.0.1 --port=$MASTER_MYPORT master-bin.000001 diff --git a/mysql-test/t/sp-security.test b/mysql-test/t/sp-security.test index a5d509f29b7..38c72fd4fa6 100644 --- a/mysql-test/t/sp-security.test +++ b/mysql-test/t/sp-security.test @@ -28,6 +28,7 @@ drop procedure db1_secret.dummy; use db1_secret; create table t1 ( u varchar(64), i int ); +insert into t1 values('test', 0); # A test procedure and function create procedure stamp(i int) @@ -35,7 +36,16 @@ create procedure stamp(i int) --replace_column 5 '0000-00-00 00:00:00' 6 '0000-00-00 00:00:00' show procedure status like 'stamp'; -create function db() returns varchar(64) return database(); +delimiter |; +create function db() returns varchar(64) +begin + declare v varchar(64); + + select u into v from t1 limit 1; + + return v; +end| +delimiter ;| --replace_column 5 '0000-00-00 00:00:00' 6 '0000-00-00 00:00:00' show function status like 'db'; @@ -63,14 +73,18 @@ call db1_secret.stamp(2); select db1_secret.db(); # ...but not this ---error 1142 +--error ER_TABLEACCESS_DENIED_ERROR select * from db1_secret.t1; # ...and not this ---error 1044 +--error ER_DBACCESS_DENIED_ERROR create procedure db1_secret.dummy() begin end; ---error 1305 +--error ER_SP_DOES_NOT_EXIST drop procedure db1_secret.dummy; +--error ER_PROCACCESS_DENIED_ERROR +drop procedure db1_secret.stamp; +--error ER_PROCACCESS_DENIED_ERROR +drop function db1_secret.db; # @@ -83,14 +97,18 @@ call db1_secret.stamp(3); select db1_secret.db(); # ...but not this ---error 1142 +--error ER_TABLEACCESS_DENIED_ERROR select * from db1_secret.t1; # ...and not this ---error 1044 +--error ER_DBACCESS_DENIED_ERROR create procedure db1_secret.dummy() begin end; ---error 1305 +--error ER_SP_DOES_NOT_EXIST drop procedure db1_secret.dummy; +--error ER_PROCACCESS_DENIED_ERROR +drop procedure db1_secret.stamp; +--error ER_PROCACCESS_DENIED_ERROR +drop function db1_secret.db; # @@ -121,9 +139,9 @@ select db(); connection con2user1; # This should not work ---error 1044 +--error ER_TABLEACCESS_DENIED_ERROR call db1_secret.stamp(5); ---error 1044 +--error ER_TABLEACCESS_DENIED_ERROR select db1_secret.db(); # @@ -132,9 +150,9 @@ select db1_secret.db(); connection con3anon; # This should not work ---error 1044 +--error ER_TABLEACCESS_DENIED_ERROR call db1_secret.stamp(6); ---error 1044 +--error ER_TABLEACCESS_DENIED_ERROR select db1_secret.db(); # @@ -165,7 +183,7 @@ use db2; create procedure p () insert into t2 values (1); # Check that this doesn't work. ---error 1142 +--error ER_TABLEACCESS_DENIED_ERROR call p(); connect (con4user2,localhost,user2,,); @@ -174,7 +192,7 @@ connection con4user2; use db2; # This should not work, since p is executed with definer's (user1's) rights. ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR call p(); select * from t2; @@ -207,9 +225,9 @@ alter procedure p modifies sql data; drop procedure p; # This should NOT work ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR alter procedure q modifies sql data; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure q; connection con1root; @@ -260,30 +278,30 @@ connect (con4userc,localhost,userc,,); connection con2usera; call sptest.p1(1); ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR grant execute on procedure sptest.p1 to userb@localhost; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure sptest.p1; connection con3userb; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR call sptest.p1(2); ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR grant execute on procedure sptest.p1 to userb@localhost; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure sptest.p1; connection con4userc; call sptest.p1(3); grant execute on procedure sptest.p1 to userb@localhost; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure sptest.p1; connection con3userb; call sptest.p1(4); ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR grant execute on procedure sptest.p1 to userb@localhost; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure sptest.p1; connection con1root; @@ -332,7 +350,7 @@ delimiter ;// connect (user1,localhost,user1,,test); connection user1; use mysqltest; --- error 1370 +-- error ER_PROCACCESS_DENIED_ERROR select bug_9503(); connection root; @@ -401,13 +419,13 @@ grant usage on *.* to mysqltest_1@localhost; connect (n1,localhost,mysqltest_1,,information_schema,$MASTER_MYPORT,$MASTER_MYSOCK); connection n1; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR call mysqltest_1.p1(); disconnect n1; # Test also without a current database connect (n2,localhost,mysqltest_1,,*NO-ONE*,$MASTER_MYPORT,$MASTER_MYSOCK); connection n2; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR call mysqltest_1.p1(); disconnect n2; @@ -433,9 +451,9 @@ end; create user user_bug12812@localhost IDENTIFIED BY 'ABC'| --replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK connect (test_user_12812,localhost,user_bug12812,ABC,test)| ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR SELECT test.bug12812()| ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR CREATE VIEW v1 AS SELECT test.bug12812()| # Cleanup connection default| @@ -489,7 +507,8 @@ drop database db_bug14834; # -# BUG#14533: 'desc tbl' in stored procedure causes error 1142 +# BUG#14533: 'desc tbl' in stored procedure causes error +# ER_TABLEACCESS_DENIED_ERROR # create database db_bug14533; use db_bug14533; diff --git a/mysql-test/t/view_grant.test b/mysql-test/t/view_grant.test index b45afe4f312..a102f87c4e8 100644 --- a/mysql-test/t/view_grant.test +++ b/mysql-test/t/view_grant.test @@ -350,25 +350,6 @@ drop view mysqltest.v3; connection user1; create view mysqltest.v3 as select b from mysqltest.t2; -# give UPDATE and INSERT privilege (to get more privileges then underlying -# table) -connection root; -grant create view, update, insert on mysqltest.v3 to mysqltest_1@localhost; -drop view mysqltest.v3; -connection user1; --- error 1143 -create view mysqltest.v3 as select b from mysqltest.t2; - - -# If we would get more privileges on VIEW then we have on -# underlying tables => creation prohibited -connection root; -create table mysqltest.v3 (b int); -grant select(b) on mysqltest.v3 to mysqltest_1@localhost; -drop table mysqltest.v3; -connection user1; --- error 1143 -create view mysqltest.v3 as select b from mysqltest.t2; # Expression need select privileges -- error 1143 @@ -1066,4 +1047,95 @@ DROP USER u26813@localhost; DROP DATABASE db26813; disconnect u1; +# +# BUG#24040: Create View don't succed with "all privileges" on a database. +# + +# Prepare. + +--disable_warnings +DROP DATABASE IF EXISTS mysqltest1; +DROP DATABASE IF EXISTS mysqltest2; +--enable_warnings + +CREATE DATABASE mysqltest1; +CREATE DATABASE mysqltest2; + +# Test. + +CREATE TABLE mysqltest1.t1(c1 INT); +CREATE TABLE mysqltest1.t2(c2 INT); +CREATE TABLE mysqltest1.t3(c3 INT); +CREATE TABLE mysqltest1.t4(c4 INT); + +INSERT INTO mysqltest1.t1 VALUES (11), (12), (13), (14); +INSERT INTO mysqltest1.t2 VALUES (21), (22), (23), (24); +INSERT INTO mysqltest1.t3 VALUES (31), (32), (33), (34); +INSERT INTO mysqltest1.t4 VALUES (41), (42), (43), (44); + +GRANT SELECT ON mysqltest1.t1 TO mysqltest_u1@localhost; +GRANT INSERT ON mysqltest1.t2 TO mysqltest_u1@localhost; +GRANT SELECT, UPDATE ON mysqltest1.t3 TO mysqltest_u1@localhost; +GRANT SELECT, DELETE ON mysqltest1.t4 TO mysqltest_u1@localhost; + +GRANT ALL PRIVILEGES ON mysqltest2.* TO mysqltest_u1@localhost; + +--connect (bug24040_con,localhost,mysqltest_u1,,mysqltest2) +--echo +--echo ---> connection: bug24040_con + +SELECT * FROM mysqltest1.t1; +INSERT INTO mysqltest1.t2 VALUES(25); +UPDATE mysqltest1.t3 SET c3 = 331 WHERE c3 = 31; +DELETE FROM mysqltest1.t4 WHERE c4 = 44; + +CREATE VIEW v1 AS SELECT * FROM mysqltest1.t1; +CREATE VIEW v2 AS SELECT * FROM mysqltest1.t2; +CREATE VIEW v3 AS SELECT * FROM mysqltest1.t3; +CREATE VIEW v4 AS SELECT * FROM mysqltest1.t4; + +SELECT * FROM v1; +INSERT INTO v2 VALUES(26); +UPDATE v3 SET c3 = 332 WHERE c3 = 32; +DELETE FROM v4 WHERE c4 = 43; + +--error ER_COLUMNACCESS_DENIED_ERROR +CREATE VIEW v12 AS SELECT c1, c2 FROM mysqltest1.t1, mysqltest1.t2; +CREATE VIEW v13 AS SELECT c1, c3 FROM mysqltest1.t1, mysqltest1.t3; +CREATE VIEW v14 AS SELECT c1, c4 FROM mysqltest1.t1, mysqltest1.t4; + +--error ER_COLUMNACCESS_DENIED_ERROR +CREATE VIEW v21 AS SELECT c2, c1 FROM mysqltest1.t2, mysqltest1.t1; +--error ER_COLUMNACCESS_DENIED_ERROR +CREATE VIEW v23 AS SELECT c2, c3 FROM mysqltest1.t2, mysqltest1.t3; +--error ER_COLUMNACCESS_DENIED_ERROR +CREATE VIEW v24 AS SELECT c2, c4 FROM mysqltest1.t2, mysqltest1.t4; + +CREATE VIEW v31 AS SELECT c3, c1 FROM mysqltest1.t3, mysqltest1.t1; +--error ER_COLUMNACCESS_DENIED_ERROR +CREATE VIEW v32 AS SELECT c3, c2 FROM mysqltest1.t3, mysqltest1.t2; +CREATE VIEW v34 AS SELECT c3, c4 FROM mysqltest1.t3, mysqltest1.t4; + +CREATE VIEW v41 AS SELECT c4, c1 FROM mysqltest1.t4, mysqltest1.t1; +--error ER_COLUMNACCESS_DENIED_ERROR +CREATE VIEW v42 AS SELECT c4, c2 FROM mysqltest1.t4, mysqltest1.t2; +CREATE VIEW v43 AS SELECT c4, c3 FROM mysqltest1.t4, mysqltest1.t3; + +--connection default +--echo +--echo ---> connection: default + +SELECT * FROM mysqltest1.t1; +SELECT * FROM mysqltest1.t2; +SELECT * FROM mysqltest1.t3; +SELECT * FROM mysqltest1.t4; + +# Cleanup. + +-- disconnect bug24040_con + +DROP DATABASE mysqltest1; +DROP DATABASE mysqltest2; +DROP USER mysqltest_u1@localhost; + --echo End of 5.0 tests. diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index ee15f95f305..ebf9385d177 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -3893,6 +3893,26 @@ err2: } +static bool check_grant_db_routine(THD *thd, const char *db, HASH *hash) +{ + Security_context *sctx= thd->security_ctx; + + for (uint idx= 0; idx < hash->records; ++idx) + { + GRANT_NAME *item= (GRANT_NAME*) hash_element(hash, idx); + + if (strcmp(item->user, sctx->priv_user) == 0 && + strcmp(item->db, db) == 0 && + compare_hostname(&item->host, sctx->host, sctx->ip)) + { + return FALSE; + } + } + + return TRUE; +} + + /* Check if a user has the right to access a database Access is accepted if he has a grant for any table/routine in the database @@ -3904,9 +3924,10 @@ bool check_grant_db(THD *thd,const char *db) Security_context *sctx= thd->security_ctx; char helping [NAME_LEN+USERNAME_LENGTH+2]; uint len; - bool error= 1; + bool error= TRUE; len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1; + rw_rdlock(&LOCK_grant); for (uint idx=0 ; idx < column_priv_hash.records ; idx++) @@ -3917,11 +3938,17 @@ bool check_grant_db(THD *thd,const char *db) !memcmp(grant_table->hash_key,helping,len) && compare_hostname(&grant_table->host, sctx->host, sctx->ip)) { - error=0; // Found match + error= FALSE; /* Found match. */ break; } } + + if (error) + error= check_grant_db_routine(thd, db, &proc_priv_hash) && + check_grant_db_routine(thd, db, &func_priv_hash); + rw_unlock(&LOCK_grant); + return error; } diff --git a/sql/sql_view.cc b/sql/sql_view.cc index 83beec3d1be..533e847682d 100644 --- a/sql/sql_view.cc +++ b/sql/sql_view.cc @@ -496,35 +496,46 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views, /* Compare/check grants on view with grants of underlying tables */ + + fill_effective_table_privileges(thd, &view->grant, view->db, + view->table_name); + + { + Item *report_item= NULL; + uint final_priv= VIEW_ANY_ACL; + for (sl= select_lex; sl; sl= sl->next_select()) { DBUG_ASSERT(view->db); /* Must be set in the parser */ List_iterator_fast it(sl->item_list); Item *item; - fill_effective_table_privileges(thd, &view->grant, view->db, - view->table_name); while ((item= it++)) { - Item_field *fld; + Item_field *fld= item->filed_for_view_update(); uint priv= (get_column_grant(thd, &view->grant, view->db, view->table_name, item->name) & VIEW_ANY_ACL); - if ((fld= item->filed_for_view_update())) + + if (fld && !fld->field->table->s->tmp_table) { - /* - Do we have more privileges on view field then underlying table field? - */ - if (!fld->field->table->s->tmp_table && (~fld->have_privileges & priv)) + final_priv&= fld->have_privileges; + + if (~fld->have_privileges & priv) + report_item= item; + } + } + } + + if (!final_priv) { - /* VIEW column has more privileges */ + DBUG_ASSERT(report_item); + my_error(ER_COLUMNACCESS_DENIED_ERROR, MYF(0), "create view", thd->security_ctx->priv_user, - thd->security_ctx->priv_host, item->name, + thd->security_ctx->priv_host, report_item->name, view->table_name); res= TRUE; goto err; - } - } } } #endif