List:General Discussion« Previous MessageNext Message »
From:Eric Braswell Date:July 28 2006 5:55pm
Subject:Re: MySQL lock tables - bug or not?
View as plain text  
I am not aware of any such bug related to the LOCK TABLES privilege. 
Like you I could not find a mention in our bugs database, for any version.

It is easy to demonstrate that this is not the case. If permissions are 
properly set up, LOCK TABLES can be restricted to a database just like 
every other priv (makes sense, of course!).

On 5.0.20:

mysql> grant select, insert, update, delete, lock tables on dl.* to 
'bar'@'localhost' identified by 'bar';

mysql> show grants for 'bar'@'localhost';
+------------------------------------------------------------------------------------------------------------+
| Grants for bar@localhost 
                                      |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'bar'@'localhost' IDENTIFIED BY PASSWORD 
'*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB' |
| GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES ON `dl`.* TO 
'bar'@'localhost'                           |
+------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)


mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dl                 |
+--------------------+
2 rows in set (0.00 sec)


-- 
Eric Braswell
Web Manager     MySQL AB
Cupertino, USA



James Harvard wrote:
> I'm using MySQL as the db for Drupal (PHP based CMS), on shared hosting. There are
> repeated errors because the db user does not have permission for LOCK TABLES, which Drupal
> uses.
> 
> The ISP says that they don't grant this permission because ...
> 
> "MySQL has a bug which allows users with GrantTables* the ability to view the
> Database names of all other databases on the server. Whilst the users can not see any
> other data, knowing the names of tables can facilitate attacks."
> 
> (* = I assume they meant 'Lock Tables')
> 
> However I can't find any mention of this in the bugs db, nor is it listed in the
> manual as a side effect of granting 'lock tables' permissions.
> 
> Does anyone know if it is a bug or not? Does anyone know whether LOCK TABLES really
> is a security risk in a shared server / multi-user environment?
> 
> TIA,
> James Harvard
> 


Thread
MySQL lock tables - bug or not?James Harvard28 Jul
  • Re: MySQL lock tables - bug or not?Eric Braswell28 Jul
    • Re: MySQL lock tables - bug or not?James Harvard30 Jul