[Phpmyadmin-devel] Logical error in assessing privileges?

Chirayu Chiripal chirayu.chiripal at gmail.com
Tue Oct 14 14:57:52 CEST 2014 

On Tue, Oct 14, 2014 at 6:10 PM, Chirayu Chiripal <
chirayu.chiripal at gmail.com> wrote:

> Hi all,
>
> On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj at gmail.com>
> wrote:
>
>> Hi all,
>>
>> Following queries are used to assess whether the logged in user has
>> super, create user and grant privileges respectively. See [1]
>>
>> SELECT 1 FROM mysql.user LIMIT 1
>>
>
> This is used to see if user is phpMyAdmin superuser and for phpMyAdmin,
> the super user is the user having read access to `mysql.user`.
>
>
>> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE PRIVILEGE_TYPE =
>> 'CREATE USER' LIMIT 1
>>
> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
>> 'YES' LIMIT 1
>>
>>
>> However, if I create a user with all global privileges except for
>> 'GRANT', 'SUPER', and 'CREATE USER' privileges all the above queries return
>> 1 since the queries does not check for the grantee column. Rows
>> corresponding to root user make all these queries return 1.
>>
>
> Similarly, USER_PRIVILEGES tells about the global privileges of current
> logged in user. Even if user is not having Global GRANT privilege he can
> still grant privileges to user (those privileges which he has), So, he is
> kind of a GRANT user for phpmyadmin.
>
> I don't know why, but I created a similar user that you have created but
> using that new user can still create more users using that new user.
>

I just saw my previous research (for some RFE in which this task was done).
Actually, the user needs either of global CREATE_USER or INSERT privileges
on mysql table (So he can still create user w/o having global create user).
So each of the queries looks fine to me.

Also, If I am not wrong, GRANTEE is the user from which he got those
particular privileges and is not the current user itself.


>
>
>> This obviously looks a bug to me. I'm writing to make sure that I'm not
>> missing out on something obvious.
>>
>
> Correct me if I am wrong anywhere. I am doing some more research on it.
>
>
>>
>> [1]
>> https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/DatabaseInterface.class.php#L1917
>>
>>
>> --
>> Thanks and Regards,
>>
>> Madhura Jayaratne
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://p.sf.net/sfu/Zoho
>> _______________________________________________
>> Phpmyadmin-devel mailing list
>> Phpmyadmin-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>>
>>
>
>
> --
> Regards,
> Chirayu Chiripal
> https://chirayuchiripal.wordpress.com/
>



-- 
Regards,
Chirayu Chiripal
https://chirayuchiripal.wordpress.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20141014/58eb406f/attachment.html>

More information about the Developers mailing list