Hi,
I just upgraded to MySQL 4.0.12. Someone please explain why a user with CREATE TEMPORARY TABLE is seen by phpMyAdmin as a superuser ($is_superuser is TRUE, this is because USE MYSQL works!)
And he sees all databases (but no table).
My users got this priv because the had global FILE, I guess.
Marc
On Thu, Mar 20, 2003 at 12:49:00PM -0500, Marc Delisle wrote:
I just upgraded to MySQL 4.0.12. Someone please explain why a user with CREATE TEMPORARY TABLE is seen by phpMyAdmin as a superuser ($is_superuser is TRUE, this is because USE MYSQL works!)
having global CREATE TEMP TABLE, you can use that on ANY db, hence mysql treats you as a superuser.
This is actually a glitch in upgrading from 3.23 to 4.0, because of how the new permission system works. just select all your non super users and do: REVOKE CREATE TEMPORARY TABLE, FILE ON *.* FROM <user>
Global privelges are bad, unless you trust the user.
Robin H. Johnson wrote:
On Thu, Mar 20, 2003 at 12:49:00PM -0500, Marc Delisle wrote:
I just upgraded to MySQL 4.0.12. Someone please explain why a user with CREATE TEMPORARY TABLE is seen by phpMyAdmin as a superuser ($is_superuser is TRUE, this is because USE MYSQL works!)
having global CREATE TEMP TABLE, you can use that on ANY db, hence mysql treats you as a superuser.
This is actually a glitch in upgrading from 3.23 to 4.0, because of how the new permission system works. just select all your non super users and do: REVOKE CREATE TEMPORARY TABLE, FILE ON *.* FROM <user>
Global privelges are bad, unless you trust the user.
I agree, however, global FILE is required for LOAD DATA INFILE. Which makes me think that we should offer another way to load text files, that emulates LOAD DATA INFILE options but does not rely on FILE priv.
Marc
-----Original Message----- From: Robin H. Johnson
having global CREATE TEMP TABLE, you can use that on ANY db,
Nope! CREATE TEMPORARY TABLES is just a flag that manages if a user may use the TEMPORARY keyword when creating a table. It does NOT bypass the CREATE privilege which is still required for creating temporary tables.
When running MySQL's upgrade script, the CREATE TEMPORARY TABLES privilege is automatically granted to each user because this is actually the setting in MySQL 3.23.
Alexander M. Turek alex@bugfixes.info
+-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+
Rabus wrote:
-----Original Message----- From: Robin H. Johnson
having global CREATE TEMP TABLE, you can use that on ANY db,
Nope! CREATE TEMPORARY TABLES is just a flag that manages if a user may use the TEMPORARY keyword when creating a table. It does NOT bypass the CREATE privilege which is still required for creating temporary tables.
When running MySQL's upgrade script, the CREATE TEMPORARY TABLES privilege is automatically granted to each user because this is actually the setting in MySQL 3.23.
Alexander M. Turek alex@bugfixes.info
Alexander,
so, why can a user do USE MYSQL when he has CREATE TEMPORARY TABLES?
Marc
Hi Marc & list,
-----Original Message----- From: Marc Delisle [mailto:delislma@CollegeSherbrooke.qc.ca]
Alexander,
so, why can a user do USE MYSQL when he has CREATE TEMPORARY TABLES?
Because of a MySQL bug...? I'm going to report this to MySQL.
Regards,
Alexander M. Turek alex@bugfixes.info
+-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+
-
Marc Delisle -
Rabus -
Robin H. Johnson