[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] mysql bug which gives users access to create databases etc.
- Subject: Re: [cobalt-users] mysql bug which gives users access to create databases etc.
- From: Alex Krohn <alex@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon Sep 23 17:32:00 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Hi Kim,
> Can anyone else verify this.
> I came across a bug in Mysql
> $mysql -V
> mysql Ver 11.15 Distrib 3.23.37, for pc-linux-gnu (i686)
>
> if a user has an _ (underscore) in their username, then this user can
> modify (add,delete, select etc) i all databases where the username is
> the same as the user with the _ (it works as a wildcard).
>
> eg. user site_2 can access his own database db_2 but he can also access
> user site22's database db22.
> if the database doesnt exist, then the user can create it (both as
> user_2 and as any other userX2 - where X can be anything).
>
> Is this bug known and does it only apply to the Raq version of MySQL?
It's not RaQ specific, it's an issue with MySQL. Also it's any underscore (or
percent) in user or database, doesn't have to be in username:
# mysqladmin create db_2
# mysqladmin create db22
mysql> grant all on db_2.* to user1@localhost identified by 'pass';
[root@north root]# mysql -uuser1 -ppass db_2 -e 'create table abc (a int)'
[root@north root]# mysql -uuser1 -ppass db22 -e 'create table abc (a int)'
Second one should have failed, but works. It's most likely a feature so you
can wildcard username or databases in access control, but if you are not aware
of it it could definitely get you.
Cheers,
Alex
--
Alex Krohn
alex@xxxxxxxxxxxxxxxxxxxx
http://gossamer-threads.com/cobalt/