RE: [Phpmyadmin-devel] CREATE TEMPORARY TABLE global priv

Hi again, -----Original Message----- From: Rabus [mailto:rabus@bugfixes.info]
Hi Marc & list,
-----Original Message----- From: Marc Delisle [mailto:delislma@CollegeSherbrooke.qc.ca]
Alexander,
so, why can a user do USE MYSQL when he has CREATE TEMPORARY TABLES?
Because of a MySQL bug...? I'm going to report this to MySQL.
My report: http://bugs.mysql.com/179 Let's see, what they'll say about it :-) Alexander M. Turek <alex@bugfixes.info> +-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+

Rabus wrote:
Hi again,
-----Original Message----- From: Rabus [mailto:rabus@bugfixes.info]
Hi Marc & list,
-----Original Message----- From: Marc Delisle [mailto:delislma@CollegeSherbrooke.qc.ca]
Alexander,
so, why can a user do USE MYSQL when he has CREATE TEMPORARY TABLES?
Because of a MySQL bug...? I'm going to report this to MySQL.
My report: http://bugs.mysql.com/179
Let's see, what they'll say about it :-)
Well, after reading their answer, I guess we will have to rely on something else to set $is_superuser, like selecting records from mysql.user. Marc

Hi Marc & list, About the "CREATE TEMPORARY TABLES" privilege: I mixed something up here, it's completely independant from the CREATE privilege. The only advise I can give you is to revoke the global CREATE TEMPORARY TABLES privilege from all non-superusers and grant it to them on those databases they may access. -----Original Message----- From: Marc Delisle
Rabus wrote:
My report: http://bugs.mysql.com/179
Let's see, what they'll say about it :-)
Well, after reading their answer, I guess we will have to rely on something else to set $is_superuser, like selecting records from mysql.user.
We will have the same problem with users having a SHOW DATABASES privilege. Why not checking the current user's record in the user table, if we can access it? This should be the safest way. Regards, Alexander M. Turek <alex@bugfixes.info> +-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+

On Mon, Mar 24, 2003 at 09:37:00AM -0500, Marc Delisle wrote:
Well, after reading their answer, I guess we will have to rely on something else to set $is_superuser, like selecting records from mysql.user. Agreed. We will have to just follow how GRANT/REVOKE work and build up the permissions ourselves. Or use SHOW GRANTS and some work.
-- Robin Hugh Johnson E-Mail : robbat2@orbis-terrarum.net Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

Hi Robin & list, -----Original Message----- From: Robin H. Johnson
On Mon, Mar 24, 2003 at 09:37:00AM -0500, Marc Delisle wrote:
Well, after reading their answer, I guess we will have to rely on something else to set $is_superuser, like selecting records from mysql.user. Agreed. We will have to just follow how GRANT/REVOKE work and build up the permissions ourselves. Or use SHOW GRANTS and some work.
Please avoid SHOW GRANTS. It's a little buggy in early 4.0 / 3.23 versions. And the big problem is that we have to know the correct Hostname as it appears in the user table. e.g. if user foo@192.168.0.% logs on from 192.168.0.26 we would intentionally build this query: SHOW GRANTS FOR foo@192.168.0.26; Unfortunally, this query would fail. The only way to determine a user's privileges properly is to use the `mysql` database. We should use the controluser for this purpose. Alexander M. Turek <alex@bugfixes.info> +-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+

Rabus wrote:
Hi Robin & list,
-----Original Message----- From: Robin H. Johnson
On Mon, Mar 24, 2003 at 09:37:00AM -0500, Marc Delisle wrote:
Well, after reading their answer, I guess we will have to rely on something else to set $is_superuser, like selecting records from mysql.user.
Agreed. We will have to just follow how GRANT/REVOKE work and build up the permissions ourselves. Or use SHOW GRANTS and some work.
Please avoid SHOW GRANTS. It's a little buggy in early 4.0 / 3.23 versions. And the big problem is that we have to know the correct Hostname as it appears in the user table. e.g. if user foo@192.168.0.% logs on from 192.168.0.26 we would intentionally build this query: SHOW GRANTS FOR foo@192.168.0.26; Unfortunally, this query would fail. The only way to determine a user's privileges properly is to use the `mysql` database. We should use the controluser for this purpose.
Alexander M. Turek <alex@bugfixes.info>
Change implemented in main.php3. Marc

Hi Marc & list, -----Original Message----- From: Marc Delisle
Change implemented in main.php3.
According to what you are checking now, the pma controluser is a superuser, isn't it? OK, your check is better than the old one, but it's not the perfect solution... Regards, Alexander M. Turek <alex@bugfixes.info> +-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+

Rabus wrote:
Hi Marc & list,
-----Original Message----- From: Marc Delisle
Change implemented in main.php3.
According to what you are checking now, the pma controluser is a superuser, isn't it?
Yes, but the problem was that too many links were displayed on the main page for simple users. It's not a problem to display them for the admin who logs with the controluser. Anyway they don't work when clicked. Marc
OK, your check is better than the old one, but it's not the perfect solution...
Regards,
Alexander M. Turek <alex@bugfixes.info>
+-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+
------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel

Hi Robin & list, -----Original Message----- From: Robin H. Johnson
On Mon, Mar 24, 2003 at 09:37:00AM -0500, Marc Delisle wrote:
Well, after reading their answer, I guess we will have to rely on something else to set $is_superuser, like selecting records from mysql.user. Agreed. We will have to just follow how GRANT/REVOKE work and build up the permissions ourselves. Or use SHOW GRANTS and some work.
Please avoid SHOW GRANTS. It's a little buggy in early 4.0 / 3.23 versions. And the big problem is that we have to know the correct Hostname as it appears in the user table. e.g. if user foo@192.168.0.% logs on from 192.168.0.26 we would intentionally build this query: SHOW GRANTS FOR foo@192.168.0.26; Unfortunally, this query would fail. The only way to determine a user's privileges properly is to use the `mysql` database. We should use the controluser for this purpose. Alexander M. Turek <alex@bugfixes.info> +-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+
participants (4)
-
Marc Delisle
-
Marc Delisle
-
Rabus
-
Robin H. Johnson