[Phpmyadmin-devel] Logical error in assessing privileges?
madhura.cj at gmail.com
Tue Oct 14 16:03:05 CEST 2014
On Tue, Oct 14, 2014 at 6:27 PM, Chirayu Chiripal <
chirayu.chiripal at gmail.com> wrote:
> On Tue, Oct 14, 2014 at 6:10 PM, Chirayu Chiripal <
> chirayu.chiripal at gmail.com> wrote:
>> Hi all,
>> On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj at gmail.com>
>>> Hi all,
>>> Following queries are used to assess whether the logged in user has
>>> super, create user and grant privileges respectively. See 
>>> SELECT 1 FROM mysql.user LIMIT 1
>> This is used to see if user is phpMyAdmin superuser and for phpMyAdmin,
>> the super user is the user having read access to `mysql.user`.
>>> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE PRIVILEGE_TYPE =
>>> 'CREATE USER' LIMIT 1
>> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
>>> 'YES' LIMIT 1
>>> However, if I create a user with all global privileges except for
>>> 'GRANT', 'SUPER', and 'CREATE USER' privileges all the above queries return
>>> 1 since the queries does not check for the grantee column. Rows
>>> corresponding to root user make all these queries return 1.
>> Similarly, USER_PRIVILEGES tells about the global privileges of current
>> logged in user. Even if user is not having Global GRANT privilege he can
>> still grant privileges to user (those privileges which he has), So, he is
>> kind of a GRANT user for phpmyadmin.
>> I don't know why, but I created a similar user that you have created but
>> using that new user can still create more users using that new user.
> I just saw my previous research (for some RFE in which this task was
> done). Actually, the user needs either of global CREATE_USER or INSERT
> privileges on mysql table (So he can still create user w/o having global
> create user).
Thanks. This seems to be true. If I remove INSERT global privilege from the
user he no longer can create a new user (He was already lacking CREATE_USER
> So each of the queries looks fine to me.
I'm not too sure. The issue is these queries lacking a WHERE GRANTEE =
<current user> clause.
> Also, If I am not wrong, GRANTEE is the user from which he got those
> particular privileges and is not the current user itself.
If this is true a freshly created use would not have an entry in the
USER_PRIVILEGES table (since the new user has not granted anything), but
this is not the case.
Thanks and Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Developers