diff options
| author | Vicențiu Ciorbaru <vicentiu@mariadb.org> | 2022-03-23 11:52:22 +0200 |
|---|---|---|
| committer | Vicențiu Ciorbaru <vicentiu@mariadb.org> | 2022-03-23 11:52:48 +0200 |
| commit | b149e820bfbe5225a64fa0a1689439d307f6a441 (patch) | |
| tree | f5cde083cc7c83afe7bee259b2be12bc1c4fdb19 | |
| parent | 2789fba407433200df7aaed2282799a7585e8728 (diff) | |
| download | mariadb-git-bb-10.9-vicentiu-reverse-privileges.tar.gz | |
MEDV-14443: Show create database deniesbb-10.9-vicentiu-reverse-privileges
| -rw-r--r-- | mysql-test/suite/deny/show_create_database.result | 49 | ||||
| -rw-r--r-- | mysql-test/suite/deny/show_create_database.test | 58 | ||||
| -rw-r--r-- | sql/sql_show.cc | 9 |
3 files changed, 111 insertions, 5 deletions
diff --git a/mysql-test/suite/deny/show_create_database.result b/mysql-test/suite/deny/show_create_database.result new file mode 100644 index 00000000000..fea1e2b93a9 --- /dev/null +++ b/mysql-test/suite/deny/show_create_database.result @@ -0,0 +1,49 @@ +create user foo; +create database some_db comment="This is a database comment."; +connect con1,localhost,foo,,; +show create database some_db; +ERROR 42000: Access denied for user 'foo'@'localhost' to database 'some_db' +disconnect con1; +connection default; +grant references on some_db.* to foo; +connect con1,localhost,foo,,; +show create database some_db; +Database Create Database +some_db CREATE DATABASE `some_db` /*!40100 DEFAULT CHARACTER SET latin1 */ COMMENT 'This is a database comment.' +disconnect con1; +connection default; +deny all on some_db.* to foo; +connect con1,localhost,foo,,; +show create database some_db; +ERROR 42000: Access denied for user 'foo'@'localhost' to database 'some_db' +disconnect con1; +connection default; +revoke deny all on some_db.* from foo; +connect con1,localhost,foo,,; +show create database some_db; +Database Create Database +some_db CREATE DATABASE `some_db` /*!40100 DEFAULT CHARACTER SET latin1 */ COMMENT 'This is a database comment.' +disconnect con1; +connection default; +revoke all on some_db.* from foo; +grant select, insert, update on some_db.* to foo; +grant select, insert, update on *.* to foo; +connect con1,localhost,foo,,; +show create database some_db; +Database Create Database +some_db CREATE DATABASE `some_db` /*!40100 DEFAULT CHARACTER SET latin1 */ COMMENT 'This is a database comment.' +show create database mysql; +Database Create Database +mysql CREATE DATABASE `mysql` /*!40100 DEFAULT CHARACTER SET latin1 */ +disconnect con1; +connection default; +deny select, insert, update on *.* to foo; +connect con1,localhost,foo,,; +show create database some_db; +ERROR 42000: Access denied for user 'foo'@'localhost' to database 'some_db' +show create database mysql; +ERROR 42000: Access denied for user 'foo'@'localhost' to database 'mysql' +disconnect con1; +connection default; +drop database some_db; +drop user foo; diff --git a/mysql-test/suite/deny/show_create_database.test b/mysql-test/suite/deny/show_create_database.test new file mode 100644 index 00000000000..285cc4af78e --- /dev/null +++ b/mysql-test/suite/deny/show_create_database.test @@ -0,0 +1,58 @@ +--source include/not_embedded.inc + + +create user foo; +create database some_db comment="This is a database comment."; + +--connect (con1,localhost,foo,,) +--error ER_DBACCESS_DENIED_ERROR +show create database some_db; +disconnect con1; + +connection default; + +grant references on some_db.* to foo; + +--connect (con1,localhost,foo,,) +show create database some_db; +disconnect con1; + +connection default; +deny all on some_db.* to foo; + +--connect (con1,localhost,foo,,) +--error ER_DBACCESS_DENIED_ERROR +show create database some_db; +disconnect con1; + +connection default; +revoke deny all on some_db.* from foo; + +--connect (con1,localhost,foo,,) +show create database some_db; +disconnect con1; + +connection default; +revoke all on some_db.* from foo; +grant select, insert, update on some_db.* to foo; +grant select, insert, update on *.* to foo; + +--connect (con1,localhost,foo,,) +show create database some_db; +show create database mysql; +disconnect con1; + +connection default; +deny select, insert, update on *.* to foo; + +--connect (con1,localhost,foo,,) +--error ER_DBACCESS_DENIED_ERROR +show create database some_db; +--error ER_DBACCESS_DENIED_ERROR +show create database mysql; +disconnect con1; + +connection default; + +drop database some_db; +drop user foo; diff --git a/sql/sql_show.cc b/sql/sql_show.cc index 7bde0b03232..2d6acc1a07b 100644 --- a/sql/sql_show.cc +++ b/sql/sql_show.cc @@ -1393,6 +1393,7 @@ bool mysqld_show_create_db(THD *thd, LEX_CSTRING *dbname, #ifndef NO_EMBEDDED_ACCESS_CHECKS Security_context *sctx= thd->security_ctx; privilege_t db_access(NO_ACL); + privilege_t deny_mask= acl_get_effective_deny_mask(sctx, *dbname); #endif Schema_specification_st create; Protocol *protocol=thd->protocol; @@ -1405,9 +1406,9 @@ bool mysqld_show_create_db(THD *thd, LEX_CSTRING *dbname, else db_access= sctx->master_access | acl_get_current_auth(sctx, dbname->str, false); + db_access&= ~deny_mask; - // TODO(cvicentiu) Denies... - if (!(db_access & DB_ACLS) && check_grant_db(sctx, dbname->str, NO_ACL)) + if (!(db_access & DB_ACLS) && check_grant_db(sctx, dbname->str, deny_mask)) { status_var_increment(thd->status_var.access_denied_errors); my_error(ER_DBACCESS_DENIED_ERROR, MYF(0), @@ -5432,9 +5433,7 @@ int fill_schema_schemata(THD *thd, TABLE_LIST *tables, COND *cond) continue; } #ifndef NO_EMBEDDED_ACCESS_CHECKS - privilege_t deny_mask= NO_ACL; - if (sctx->denies_active) - deny_mask= acl_get_effective_deny_mask(sctx, *db_name); + privilege_t deny_mask= acl_get_effective_deny_mask(sctx, *db_name); if ((sctx->master_access & ~deny_mask) & (DB_ACLS | SHOW_DB_ACL) || (acl_get_current_auth(sctx, db_name->str, false) & ~deny_mask)|| |