Fix privilege checking for sequence

MDEV-13732 User with SELECT privilege can ALTER sequence
MariaDB · Feb 14, 2018 · 1fe9092 · 1fe9092
1 parent dc09f8f
commit 1fe9092
Show file tree

Hide file tree

Showing 3 changed files with 124 additions and 1 deletion.
diff --git a/mysql-test/suite/sql_sequence/grant.result b/mysql-test/suite/sql_sequence/grant.result
@@ -0,0 +1,60 @@
+SET @@SQL_MODE = REPLACE(@@SQL_MODE, 'NO_AUTO_CREATE_USER', '');
+create database mysqltest_1;
+use mysqltest_1;
+grant all on mysqltest_1.* to 'normal'@'%';
+grant select on mysqltest_1.* to 'read_only'@'%';
+grant select,insert on mysqltest_1.* to 'read_write'@'%';
+grant select,insert,alter on mysqltest_1.* to 'alter'@'%';
+grant alter on mysqltest_1.* to only_alter@'%';
+connect normal,localhost,normal,,mysqltest_1;
+connect read_only,localhost,read_only,,mysqltest_1;
+connect read_write,localhost,read_write,,mysqltest_1;
+connect alter,localhost,alter,,mysqltest_1;
+connect only_alter, localhost, only_alter,,mysqltest_1;
+connection normal;
+create sequence s1;
+select next value for s1;
+next value for s1
+1
+alter sequence s1 restart= 11;
+select * from s1;
+next_not_cached_value	minimum_value	maximum_value	start_value	increment	cache_size	cycle_option	cycle_count
+11	1	9223372036854775806	1	1	1000	0	0
+connection read_only;
+select next value for s1;
+ERROR 42000: INSERT command denied to user 'read_only'@'localhost' for table 's1'
+alter sequence s1 restart= 11;
+ERROR 42000: ALTER command denied to user 'read_only'@'localhost' for table 's1'
+select * from s1;
+next_not_cached_value	minimum_value	maximum_value	start_value	increment	cache_size	cycle_option	cycle_count
+11	1	9223372036854775806	1	1	1000	0	0
+connection read_write;
+select next value for s1;
+next value for s1
+11
+alter sequence s1 restart= 11;
+ERROR 42000: ALTER command denied to user 'read_write'@'localhost' for table 's1'
+select * from s1;
+next_not_cached_value	minimum_value	maximum_value	start_value	increment	cache_size	cycle_option	cycle_count
+1011	1	9223372036854775806	1	1	1000	0	0
+connection alter;
+select next value for s1;
+next value for s1
+12
+alter sequence s1 restart= 11;
+select * from s1;
+next_not_cached_value	minimum_value	maximum_value	start_value	increment	cache_size	cycle_option	cycle_count
+11	1	9223372036854775806	1	1	1000	0	0
+connection only_alter;
+select next value for s1;
+ERROR 42000: INSERT command denied to user 'only_alter'@'localhost' for table 's1'
+alter sequence s1 restart= 11;
+select * from s1;
+ERROR 42000: SELECT command denied to user 'only_alter'@'localhost' for table 's1'
+connection default;
+drop database mysqltest_1;
+drop user 'normal'@'%';
+drop user 'read_only'@'%';
+drop user 'read_write'@'%';
+drop user 'alter'@'%';
+drop user 'only_alter'@'%';
diff --git a/mysql-test/suite/sql_sequence/grant.test b/mysql-test/suite/sql_sequence/grant.test
@@ -0,0 +1,63 @@
+#
+# Test some grants with sequences
+# Note that replication.test also does some grant testing
+#
+
+SET @@SQL_MODE = REPLACE(@@SQL_MODE, 'NO_AUTO_CREATE_USER', '');
+create database mysqltest_1;
+use mysqltest_1;
+grant all on mysqltest_1.* to 'normal'@'%';
+grant select on mysqltest_1.* to 'read_only'@'%';
+grant select,insert on mysqltest_1.* to 'read_write'@'%';
+grant select,insert,alter on mysqltest_1.* to 'alter'@'%';
+grant alter on mysqltest_1.* to only_alter@'%';
+
+connect(normal,localhost,normal,,mysqltest_1);
+connect(read_only,localhost,read_only,,mysqltest_1);
+connect(read_write,localhost,read_write,,mysqltest_1);
+connect(alter,localhost,alter,,mysqltest_1);
+connect(only_alter, localhost, only_alter,,mysqltest_1);
+
+connection normal;
+create sequence s1;
+select next value for s1;
+alter sequence s1 restart= 11;
+select * from s1;
+
+connection read_only;
+--error ER_TABLEACCESS_DENIED_ERROR
+select next value for s1;
+--error ER_TABLEACCESS_DENIED_ERROR
+alter sequence s1 restart= 11;
+select * from s1;
+
+connection read_write;
+select next value for s1;
+--error ER_TABLEACCESS_DENIED_ERROR
+alter sequence s1 restart= 11;
+select * from s1;
+
+connection alter;
+select next value for s1;
+alter sequence s1 restart= 11;
+select * from s1;
+
+connection only_alter;
+--error ER_TABLEACCESS_DENIED_ERROR
+select next value for s1;
+alter sequence s1 restart= 11;
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from s1;
+
+#
+# Cleanup
+#
+
+connection default;
+drop database mysqltest_1;
+drop user 'normal'@'%';
+drop user 'read_only'@'%';
+drop user 'read_write'@'%';
+drop user 'alter'@'%';
+drop user 'only_alter'@'%';
+
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -7603,7 +7603,7 @@ bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
     sctx= t_ref->security_ctx ? t_ref->security_ctx : thd->security_ctx;
     ulong orig_want_access= original_want_access;
 
-    if (t_ref->sequence)
+    if (t_ref->sequence && !(want_access & ~(INSERT_ACL | SELECT_ACL)))
     {
       /* We want to have either SELECT or INSERT rights to sequences depending
          on how they are accessed