[Phpmyadmin-devel] Logical error in assessing privileges?

Madhura Jayaratne madhura.cj at gmail.com
Tue Oct 14 16:03:05 CEST 2014


On Tue, Oct 14, 2014 at 6:27 PM, Chirayu Chiripal <
chirayu.chiripal at gmail.com> wrote:

>
>
> On Tue, Oct 14, 2014 at 6:10 PM, Chirayu Chiripal <
> chirayu.chiripal at gmail.com> wrote:
>
>> Hi all,
>>
>> On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj at gmail.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> Following queries are used to assess whether the logged in user has
>>> super, create user and grant privileges respectively. See [1]
>>>
>>> SELECT 1 FROM mysql.user LIMIT 1
>>>
>>
>> This is used to see if user is phpMyAdmin superuser and for phpMyAdmin,
>> the super user is the user having read access to `mysql.user`.
>>
>>
>>> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE PRIVILEGE_TYPE =
>>> 'CREATE USER' LIMIT 1
>>>
>> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
>>> 'YES' LIMIT 1
>>>
>>>
>>> However, if I create a user with all global privileges except for
>>> 'GRANT', 'SUPER', and 'CREATE USER' privileges all the above queries return
>>> 1 since the queries does not check for the grantee column. Rows
>>> corresponding to root user make all these queries return 1.
>>>
>>
>> Similarly, USER_PRIVILEGES tells about the global privileges of current
>> logged in user. Even if user is not having Global GRANT privilege he can
>> still grant privileges to user (those privileges which he has), So, he is
>> kind of a GRANT user for phpmyadmin.
>>
>> I don't know why, but I created a similar user that you have created but
>> using that new user can still create more users using that new user.
>>
>
> I just saw my previous research (for some RFE in which this task was
> done). Actually, the user needs either of global CREATE_USER or INSERT
> privileges on mysql table (So he can still create user w/o having global
> create user).
>

Thanks. This seems to be true. If I remove INSERT global privilege from the
user he no longer can create a new user (He was already lacking CREATE_USER
 privileges)


> So each of the queries looks fine to me.
>

I'm not too sure. The issue is these queries lacking a WHERE GRANTEE  =
<current user> clause.

>
> Also, If I am not wrong, GRANTEE is the user from which he got those
> particular privileges and is not the current user itself.
>
>
If this is true a freshly created use would not have an entry in the
USER_PRIVILEGES table (since the new user has not granted anything), but
this is not the case.


-- 
Thanks and Regards,

Madhura Jayaratne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20141014/21560735/attachment.html>


More information about the Developers mailing list