database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-29 00:08:14 +03:00
Code Activity
Files
0c9bae6e8e194d5a332bcc1f99eb86a0e03e7f7c
mariadb/mysql-test/r/sp-security.result
unknown a50cd5c53d Fixed BUG#6030: Stored procedure has no appropriate DROP privilege. 
...and no ALTER privilege either.
  For now, only the definer and root can drop or alter an SP.


include/mysqld_error.h:
  New access denied error code when dropping/altering stored procedures.
include/sql_state.h:
  New access denied error code when dropping/altering stored procedures.
mysql-test/r/sp-error.result:
  Removed warning for "unitialized variable", as this popped up in unexpected
  places after the access control for drop/alter SPs was added. (And the warning
  was wrong and planned to be removed anyway.)
mysql-test/r/sp-security.result:
  Added tests for access control on who's allowed to drop and alter SPs.
mysql-test/r/sp.result:
  Updated results. (Warning removed.)
mysql-test/t/sp-error.test:
  Removed warning for "unitialized variable", as this popped up in unexpected
  places after the access control for drop/alter SPs was added. (And the warning
  was wrong and planned to be removed anyway.)
mysql-test/t/sp-security.test:
  Added tests for access control on who's allowed to drop and alter SPs.
sql/share/czech/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/danish/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/dutch/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/english/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/estonian/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/french/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/german/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/greek/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/hungarian/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/italian/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/japanese/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/korean/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/norwegian-ny/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/norwegian/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/polish/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/portuguese/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/romanian/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/russian/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/serbian/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/slovak/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/spanish/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/swedish/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/share/ukrainian/errmsg.txt:
  New access denied error message when dropping/altering stored procedures.
sql/sql_parse.cc:
  Added minimal access control for DROP/ALTER PROCEDURE/FUNCTION. Only the definer
  and root are allowed to do this.
sql/sql_yacc.yy:
  Removed warning for "unitialized variable", as this popped up in unexpected
  places after the access control for drop/alter SPs was added. (And the warning
  was wrong and planned to be removed anyway.)
2004-10-22 20:29:06 +02:00

129 lines
3.9 KiB
Plaintext
Raw Blame History

use test;
grant usage on *.* to user1@localhost;
flush privileges;
drop database if exists db1_secret;
create database db1_secret;
create procedure db1_secret.dummy() begin end;
drop procedure db1_secret.dummy;
use db1_secret;
create table t1 ( u varchar(64), i int );
create procedure stamp(i int)
insert into db1_secret.t1 values (user(), i);
show procedure status like 'stamp';
Db Name Type Definer Modified Created Security_type Comment
db1_secret stamp PROCEDURE root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 DEFINER
create function db() returns varchar(64) return database();
show function status like 'db';
Db Name Type Definer Modified Created Security_type Comment
db1_secret db FUNCTION root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 DEFINER
call stamp(1);
select * from t1;
u i
root@localhost 1
select db();
db()
db1_secret
call db1_secret.stamp(2);
select db1_secret.db();
db1_secret.db()
db1_secret
select * from db1_secret.t1;
ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret'
create procedure db1_secret.dummy() begin end;
ERROR 42000: Unknown database 'db1_secret'
drop procedure db1_secret.dummy;
ERROR 42000: PROCEDURE db1_secret.dummy does not exist
call db1_secret.stamp(3);
select db1_secret.db();
db1_secret.db()
db1_secret
select * from db1_secret.t1;
ERROR 42000: Access denied for user ''@'localhost' to database 'db1_secret'
create procedure db1_secret.dummy() begin end;
ERROR 42000: Unknown database 'db1_secret'
drop procedure db1_secret.dummy;
ERROR 42000: PROCEDURE db1_secret.dummy does not exist
select * from t1;
u i
root@localhost 1
user1@localhost 2
anon@localhost 3
alter procedure stamp sql security invoker;
show procedure status like 'stamp';
Db Name Type Definer Modified Created Security_type Comment
db1_secret stamp PROCEDURE root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 INVOKER
alter function db sql security invoker;
show function status like 'db';
Db Name Type Definer Modified Created Security_type Comment
db1_secret db FUNCTION root@localhost 0000-00-00 00:00:00 0000-00-00 00:00:00 INVOKER
call stamp(4);
select * from t1;
u i
root@localhost 1
user1@localhost 2
anon@localhost 3
root@localhost 4
select db();
db()
db1_secret
call db1_secret.stamp(5);
ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret'
select db1_secret.db();
ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret'
call db1_secret.stamp(6);
ERROR 42000: Access denied for user ''@'localhost' to database 'db1_secret'
select db1_secret.db();
ERROR 42000: Access denied for user ''@'localhost' to database 'db1_secret'
drop database if exists db2;
create database db2;
use db2;
create table t2 (s1 int);
insert into t2 values (0);
grant usage on db2.* to user1@localhost;
grant select on db2.* to user1@localhost;
grant usage on db2.* to user2@localhost;
grant select,insert,update,delete on db2.* to user2@localhost;
flush privileges;
use db2;
create procedure p () insert into t2 values (1);
call p();
ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db2'
use db2;
call p();
ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db2'
select * from t2;
s1
0
create procedure q () insert into t2 values (2);
call q();
select * from t2;
s1
0
2
use db2;
call q();
select * from t2;
s1
0
2
2
alter procedure p modifies sql data;
drop procedure p;
alter procedure q modifies sql data;
ERROR 42000: Access denied; you are not the procedure/function definer of 'db2.q'
drop procedure q;
ERROR 42000: Access denied; you are not the procedure/function definer of 'db2.q'
use db2;
alter procedure q modifies sql data;
drop procedure q;
use test;
select type,db,name from mysql.proc;
type db name
FUNCTION db1_secret db
PROCEDURE db1_secret stamp
drop database db1_secret;
drop database db2;
select type,db,name from mysql.proc;
type db name
delete from mysql.user where user='user1' or user='user2';
View Git Blame Copy Permalink