[Phpmyadmin-devel] CREATE TEMPORARY TABLE global priv

Hi, I just upgraded to MySQL 4.0.12. Someone please explain why a user with CREATE TEMPORARY TABLE is seen by phpMyAdmin as a superuser ($is_superuser is TRUE, this is because USE MYSQL works!) And he sees all databases (but no table). My users got this priv because the had global FILE, I guess. Marc

On Thu, Mar 20, 2003 at 12:49:00PM -0500, Marc Delisle wrote:
I just upgraded to MySQL 4.0.12. Someone please explain why a user with CREATE TEMPORARY TABLE is seen by phpMyAdmin as a superuser ($is_superuser is TRUE, this is because USE MYSQL works!) having global CREATE TEMP TABLE, you can use that on ANY db, hence mysql treats you as a superuser.
This is actually a glitch in upgrading from 3.23 to 4.0, because of how the new permission system works. just select all your non super users and do: REVOKE CREATE TEMPORARY TABLE, FILE ON *.* FROM <user> Global privelges are bad, unless you trust the user. -- Robin Hugh Johnson E-Mail : robbat2@orbis-terrarum.net Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

Robin H. Johnson wrote:
On Thu, Mar 20, 2003 at 12:49:00PM -0500, Marc Delisle wrote:
I just upgraded to MySQL 4.0.12. Someone please explain why a user with CREATE TEMPORARY TABLE is seen by phpMyAdmin as a superuser ($is_superuser is TRUE, this is because USE MYSQL works!)
having global CREATE TEMP TABLE, you can use that on ANY db, hence mysql treats you as a superuser.
This is actually a glitch in upgrading from 3.23 to 4.0, because of how the new permission system works. just select all your non super users and do: REVOKE CREATE TEMPORARY TABLE, FILE ON *.* FROM <user>
Global privelges are bad, unless you trust the user.
I agree, however, global FILE is required for LOAD DATA INFILE. Which makes me think that we should offer another way to load text files, that emulates LOAD DATA INFILE options but does not rely on FILE priv. Marc

-----Original Message----- From: Robin H. Johnson
having global CREATE TEMP TABLE, you can use that on ANY db,
Nope! CREATE TEMPORARY TABLES is just a flag that manages if a user may use the TEMPORARY keyword when creating a table. It does NOT bypass the CREATE privilege which is still required for creating temporary tables. When running MySQL's upgrade script, the CREATE TEMPORARY TABLES privilege is automatically granted to each user because this is actually the setting in MySQL 3.23. Alexander M. Turek <alex@bugfixes.info> +-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+

Rabus wrote:
-----Original Message----- From: Robin H. Johnson
having global CREATE TEMP TABLE, you can use that on ANY db,
Nope! CREATE TEMPORARY TABLES is just a flag that manages if a user may use the TEMPORARY keyword when creating a table. It does NOT bypass the CREATE privilege which is still required for creating temporary tables.
When running MySQL's upgrade script, the CREATE TEMPORARY TABLES privilege is automatically granted to each user because this is actually the setting in MySQL 3.23.
Alexander M. Turek <alex@bugfixes.info>
Alexander, so, why can a user do USE MYSQL when he has CREATE TEMPORARY TABLES? Marc

Hi Marc & list, -----Original Message----- From: Marc Delisle [mailto:delislma@CollegeSherbrooke.qc.ca]
Alexander,
so, why can a user do USE MYSQL when he has CREATE TEMPORARY TABLES?
Because of a MySQL bug...? I'm going to report this to MySQL. Regards, Alexander M. Turek <alex@bugfixes.info> +-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+
participants (3)
-
Marc Delisle
-
Rabus
-
Robin H. Johnson