[Phpmyadmin-devel] Logical error in assessing privileges?

Madhura Jayaratne madhura.cj at gmail.com
Tue Oct 14 15:50:16 CEST 2014 

On Tue, Oct 14, 2014 at 6:10 PM, Chirayu Chiripal <
chirayu.chiripal at gmail.com> wrote:

> Hi all,
>
> On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj at gmail.com>
> wrote:
>
>> Hi all,
>>
>> Following queries are used to assess whether the logged in user has
>> super, create user and grant privileges respectively. See [1]
>>
>> SELECT 1 FROM mysql.user LIMIT 1
>>
>
> This is used to see if user is phpMyAdmin superuser and for phpMyAdmin,
> the super user is the user having read access to `mysql.user`.
>

Yes, super user has been defined in lighter sense inside phpMyAdmin and
seems to differ from SUPER global privilege of  MySQL. So I guess this is
fine.

>
>
>> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE PRIVILEGE_TYPE =
>> 'CREATE USER' LIMIT 1
>>
> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
>> 'YES' LIMIT 1
>>
>>
>> However, if I create a user with all global privileges except for
>> 'GRANT', 'SUPER', and 'CREATE USER' privileges all the above queries return
>> 1 since the queries does not check for the grantee column. Rows
>> corresponding to root user make all these queries return 1.
>>
>
> Similarly, USER_PRIVILEGES tells about the global privileges of current
> logged in user. Even if user is not having Global GRANT privilege he can
> still grant privileges to user (those privileges which he has), So, he is
> kind of a GRANT user for phpmyadmin.
>

I can not seem to do this. My user has SELECT global privilege but fails to
grant the same to another user. I get

#1045 - Access denied for user 'aaaa'@'localhost' (using password: NO)

>
> I don't know why, but I created a similar user that you have created but
> using that new user can still create more users using that new user.
>

I can do this.

>
>
>> This obviously looks a bug to me. I'm writing to make sure that I'm not
>> missing out on something obvious.
>>
>
> Correct me if I am wrong anywhere. I am doing some more research on it.e
> push notifications.
>
>>
>> Thanks.



-- 
Thanks and Regards,

Madhura Jayaratne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20141014/f7dccc40/attachment.html>

More information about the Developers mailing list