14 Oct
2014
14 Oct
'14
11:34 a.m.
Hi all,
Following queries are used to assess whether the logged in user has super,
create user and grant privileges respectively. See [1]
SELECT 1 FROM mysql.user LIMIT 1
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE PRIVILEGE_TYPE =
'CREATE USER' LIMIT 1
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE = 'YES'
LIMIT 1
However, if I create a user with all global privileges except for 'GRANT',
'SUPER', and 'CREATE USER' privileges all the above queries return 1
since
the queries does not check for the grantee column. Rows corresponding to
root user make all these queries return 1.
This obviously looks a bug to me. I'm writing to make sure that I'm not
missing out on something obvious.
[1]
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/DatabaseInte…
--
Thanks and Regards,
Madhura Jayaratne
14 Oct
14 Oct
3:08 p.m.
Madhura Jayaratne a écrit :
Hi all,
Following queries are used to assess whether the logged in user has super,
create user and grant privileges respectively. See [1]
SELECT 1 FROM mysql.user LIMIT 1
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE PRIVILEGE_TYPE =
'CREATE USER' LIMIT 1
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE = 'YES'
LIMIT 1
However, if I create a user with all global privileges except for 'GRANT',
'SUPER', and 'CREATE USER' privileges all the above queries return 1
since
the queries does not check for the grantee column. Rows corresponding to
root user make all these queries return 1.
This obviously looks a bug to me. I'm writing to make sure that I'm not
missing out on something obvious.
[1]
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/DatabaseInte…
Yes, this looks like a bug.
--
Marc Delisle (phpMyAdmin)
3:40 p.m.
Hi all,
On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj(a)gmail.com>
wrote:
Hi all,
Following queries are used to assess whether the logged in user has super,
create user and grant privileges respectively. See [1]
SELECT 1 FROM mysql.user LIMIT 1
This is used to see if user is phpMyAdmin superuser and for phpMyAdmin, the
super user is the user having read access to `mysql.user`.
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE
PRIVILEGE_TYPE =
'CREATE USER' LIMIT 1
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
'YES'
LIMIT 1
However, if I create a user with all global privileges except for 'GRANT',
'SUPER', and 'CREATE USER' privileges all the above queries return 1
since
the queries does not check for the grantee column. Rows corresponding to
root user make all these queries return 1.
Similarly, USER_PRIVILEGES tells about the global privileges of current
logged in user. Even if user is not having Global GRANT privilege he can
still grant privileges to user (those privileges which he has), So, he is
kind of a GRANT user for phpmyadmin.
I don't know why, but I created a similar user that you have created but
using that new user can still create more users using that new user.
This obviously looks a bug to me. I'm writing to
make sure that I'm not
missing out on something obvious.
Correct me if I am wrong anywhere. I am doing some more research on it.
[1]
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/DatabaseInte…
--
Thanks and Regards,
Madhura Jayaratne
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Phpmyadmin-devel mailing list
Phpmyadmin-devel(a)lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
--
Regards,
Chirayu Chiripal
https://chirayuchiripal.wordpress.com/
3:57 p.m.
On Tue, Oct 14, 2014 at 6:10 PM, Chirayu Chiripal <
chirayu.chiripal(a)gmail.com> wrote:
--
Regards,
Chirayu Chiripal
https://chirayuchiripal.wordpress.com/
Hi all,
On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj(a)gmail.com>
wrote:
I just saw my previous research (for some RFE in which this task was done).
Actually, the user needs either of global CREATE_USER or INSERT privileges
on mysql table (So he can still create user w/o having global create user).
So each of the queries looks fine to me.
Also, If I am not wrong, GRANTEE is the user from which he got those
particular privileges and is not the current user itself.
Hi all,
Following queries are used to assess whether the logged in user has
super, create user and grant privileges respectively. See [1]
SELECT 1 FROM mysql.user LIMIT 1
This is used to see if user is phpMyAdmin superuser and for phpMyAdmin,
the super user is the user having read access to `mysql.user`.
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES
WHERE PRIVILEGE_TYPE =
'CREATE USER' LIMIT 1
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
'YES' LIMIT 1
However, if I create a user with all global privileges except for
'GRANT', 'SUPER', and 'CREATE USER' privileges all the above
queries return
1 since the queries does not check for the grantee column. Rows
corresponding to root user make all these queries return 1.
Similarly, USER_PRIVILEGES tells about the global privileges of current
logged in user. Even if user is not having Global GRANT privilege he can
still grant privileges to user (those privileges which he has), So, he is
kind of a GRANT user for phpmyadmin.
I don't know why, but I created a similar user that you have created but
using that new user can still create more users using that new user.
This obviously looks a bug to me. I'm writing
to make sure that I'm not
missing out on something obvious.
Correct me if I am wrong anywhere. I am doing some more research on it.
[1]
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/DatabaseInte…
--
Thanks and Regards,
Madhura Jayaratne
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Phpmyadmin-devel mailing list
Phpmyadmin-devel(a)lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
--
Regards,
Chirayu Chiripal
https://chirayuchiripal.wordpress.com/
5:03 p.m.
On Tue, Oct 14, 2014 at 6:27 PM, Chirayu Chiripal <
chirayu.chiripal(a)gmail.com> wrote:
On Tue, Oct 14, 2014 at 6:10 PM, Chirayu Chiripal <
chirayu.chiripal(a)gmail.com> wrote:
Thanks. This seems to be true. If I remove INSERT global privilege from the
user he no longer can create a new user (He was already lacking CREATE_USER
privileges)
Hi all,
On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj(a)gmail.com>
wrote:
I just saw my previous research (for some RFE in which this task was
done). Actually, the user needs either of global CREATE_USER or INSERT
privileges on mysql table (So he can still create user w/o having global
create user).
Hi all,
Following queries are used to assess whether the logged in user has
super, create user and grant privileges respectively. See [1]
SELECT 1 FROM mysql.user LIMIT 1
This is used to see if user is phpMyAdmin superuser and for phpMyAdmin,
the super user is the user having read access to `mysql.user`.
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES
WHERE PRIVILEGE_TYPE =
'CREATE USER' LIMIT 1
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
'YES' LIMIT 1
However, if I create a user with all global privileges except for
'GRANT', 'SUPER', and 'CREATE USER' privileges all the above
queries return
1 since the queries does not check for the grantee column. Rows
corresponding to root user make all these queries return 1.
Similarly, USER_PRIVILEGES tells about the global privileges of current
logged in user. Even if user is not having Global GRANT privilege he can
still grant privileges to user (those privileges which he has), So, he is
kind of a GRANT user for phpmyadmin.
I don't know why, but I created a similar user that you have created but
using that new user can still create more users using that new user.
So each of the queries looks fine to me.
I'm not too sure. The issue is these queries lacking a WHERE GRANTEE =
<current user> clause.
Also, If I am not wrong, GRANTEE is the user from which he got those
particular privileges and is not the current user itself.
If this is true a freshly created use would not have an entry in the
USER_PRIVILEGES table (since the new user has not granted anything), but
this is not the case.
--
Thanks and Regards,
Madhura Jayaratne
7:35 p.m.
On Tue, Oct 14, 2014 at 7:33 PM, Madhura Jayaratne <madhura.cj(a)gmail.com>
wrote:
--
Regards,
Chirayu Chiripal
https://chirayuchiripal.wordpress.com/
On Tue, Oct 14, 2014 at 6:27 PM, Chirayu Chiripal <
chirayu.chiripal(a)gmail.com> wrote:
Yeah, sorry. My bad. But in that case, We need to check for
SCHEMA_PRIVILEGES as well now (at least for CREATE USER privileges).
On Tue, Oct 14, 2014 at 6:10 PM, Chirayu Chiripal <
chirayu.chiripal(a)gmail.com> wrote:
Thanks. This seems to be true. If I remove INSERT global privilege from
the user he no longer can create a new user (He was already
lacking CREATE_USER privileges)
Hi all,
On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj(a)gmail.com
I just saw my previous research (for some RFE in which this task was
done). Actually, the user needs either of global CREATE_USER or INSERT
privileges on mysql table (So he can still create user w/o having global
create user).
wrote:
Hi all,
Following queries are used to assess whether the logged in user has
super, create user and grant privileges respectively. See [1]
SELECT 1 FROM mysql.user LIMIT 1
This is used to see if user is phpMyAdmin superuser and for phpMyAdmin,
the super user is the user having read access to `mysql.user`.
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES
WHERE PRIVILEGE_TYPE =
'CREATE USER' LIMIT 1
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
'YES' LIMIT 1
However, if I create a user with all global privileges except for
'GRANT', 'SUPER', and 'CREATE USER' privileges all the above
queries return
1 since the queries does not check for the grantee column. Rows
corresponding to root user make all these queries return 1.
Similarly, USER_PRIVILEGES tells about the global privileges of current
logged in user. Even if user is not having Global GRANT privilege he can
still grant privileges to user (those privileges which he has), So, he is
kind of a GRANT user for phpmyadmin.
I don't know why, but I created a similar user that you have created but
using that new user can still create more users using that new user.
So each of the queries looks fine to me.
I'm not too sure. The issue is these queries lacking a WHERE GRANTEE =
<current user> clause.
Also, If I am not wrong, GRANTEE is the user from
which he got those
particular privileges and is not the current user itself.
If this is true a freshly created use would not have an entry in the
USER_PRIVILEGES table (since the new user has not granted anything), but
this is not the case.
--
Thanks and Regards,
Madhura Jayaratne
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Phpmyadmin-devel mailing list
Phpmyadmin-devel(a)lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
4:50 p.m.
On Tue, Oct 14, 2014 at 6:10 PM, Chirayu Chiripal <
chirayu.chiripal(a)gmail.com> wrote:
I can not seem to do this. My user has SELECT global privilege but fails to
grant the same to another user. I get
#1045 - Access denied for user 'aaaa'@'localhost' (using password: NO)
--
Thanks and Regards,
Madhura Jayaratne
Hi all,
On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj(a)gmail.com>
wrote:
Yes, super user has been defined in lighter sense inside phpMyAdmin and
seems to differ from SUPER global privilege of MySQL. So I guess this is
fine.
Hi all,
Following queries are used to assess whether the logged in user has
super, create user and grant privileges respectively. See [1]
SELECT 1 FROM mysql.user LIMIT 1
This is used to see if user is phpMyAdmin superuser and for phpMyAdmin,
the super user is the user having read access to `mysql.user`.
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES
WHERE PRIVILEGE_TYPE =
'CREATE USER' LIMIT 1
SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
'YES' LIMIT 1
However, if I create a user with all global privileges except for
'GRANT', 'SUPER', and 'CREATE USER' privileges all the above
queries return
1 since the queries does not check for the grantee column. Rows
corresponding to root user make all these queries return 1.
Similarly, USER_PRIVILEGES tells about the global privileges of current
logged in user. Even if user is not having Global GRANT privilege he can
still grant privileges to user (those privileges which he has), So, he is
kind of a GRANT user for phpmyadmin.
I don't know why, but I created a similar user that you have created but
using that new user can still create more users using that new user.
I can do this.
This obviously looks a bug to me. I'm writing
to make sure that I'm not
missing out on something obvious.
Correct me if I am wrong anywhere. I am doing some more research on it.e
push notifications.
>
> Thanks.
3625
days inactive
3625
days old
6 comments
3 participants
participants (3)
-
Chirayu Chiripal -
Madhura Jayaratne -
Marc Delisle