[Phpmyadmin-devel] Logical error in assessing privileges?

Chirayu Chiripal chirayu.chiripal at gmail.com
Tue Oct 14 18:35:30 CEST 2014


On Tue, Oct 14, 2014 at 7:33 PM, Madhura Jayaratne <madhura.cj at gmail.com>
wrote:

>
>
> On Tue, Oct 14, 2014 at 6:27 PM, Chirayu Chiripal <
> chirayu.chiripal at gmail.com> wrote:
>
>>
>>
>> On Tue, Oct 14, 2014 at 6:10 PM, Chirayu Chiripal <
>> chirayu.chiripal at gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> On Tue, Oct 14, 2014 at 2:04 PM, Madhura Jayaratne <madhura.cj at gmail.com
>>> > wrote:
>>>
>>>> Hi all,
>>>>
>>>> Following queries are used to assess whether the logged in user has
>>>> super, create user and grant privileges respectively. See [1]
>>>>
>>>> SELECT 1 FROM mysql.user LIMIT 1
>>>>
>>>
>>> This is used to see if user is phpMyAdmin superuser and for phpMyAdmin,
>>> the super user is the user having read access to `mysql.user`.
>>>
>>>
>>>> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE PRIVILEGE_TYPE =
>>>> 'CREATE USER' LIMIT 1
>>>>
>>> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE =
>>>> 'YES' LIMIT 1
>>>>
>>>>
>>>> However, if I create a user with all global privileges except for
>>>> 'GRANT', 'SUPER', and 'CREATE USER' privileges all the above queries return
>>>> 1 since the queries does not check for the grantee column. Rows
>>>> corresponding to root user make all these queries return 1.
>>>>
>>>
>>> Similarly, USER_PRIVILEGES tells about the global privileges of current
>>> logged in user. Even if user is not having Global GRANT privilege he can
>>> still grant privileges to user (those privileges which he has), So, he is
>>> kind of a GRANT user for phpmyadmin.
>>>
>>> I don't know why, but I created a similar user that you have created but
>>> using that new user can still create more users using that new user.
>>>
>>
>> I just saw my previous research (for some RFE in which this task was
>> done). Actually, the user needs either of global CREATE_USER or INSERT
>> privileges on mysql table (So he can still create user w/o having global
>> create user).
>>
>
> Thanks. This seems to be true. If I remove INSERT global privilege from
> the user he no longer can create a new user (He was already
> lacking CREATE_USER  privileges)
>
>
>> So each of the queries looks fine to me.
>>
>
> I'm not too sure. The issue is these queries lacking a WHERE GRANTEE  =
> <current user> clause.
>

Yeah, sorry. My bad. But in that case, We need to check for
SCHEMA_PRIVILEGES as well now (at least for CREATE USER privileges).


>
>> Also, If I am not wrong, GRANTEE is the user from which he got those
>> particular privileges and is not the current user itself.
>>
>>
> If this is true a freshly created use would not have an entry in the
> USER_PRIVILEGES table (since the new user has not granted anything), but
> this is not the case.
>
>
> --
> Thanks and Regards,
>
> Madhura Jayaratne
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>
>


-- 
Regards,
Chirayu Chiripal
https://chirayuchiripal.wordpress.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20141014/c7637c90/attachment.html>


More information about the Developers mailing list