• Developer Zone
• Lists Home
• FAQ

>>>>> "Viktor" == Viktor Fougstedt <viktor@stripped> writes:

Viktor> On Mon, 10 Jan 2000, Viktor Fougstedt wrote:
>> > Only users with global root privileges, which means MySQL root
>> > privileges, not Unix root privileges, can change passwords of other
>> > users !!
>> > 

Viktor> Hi!

Viktor> Just thought I'd add that I just downloaded a fresh source-dist of
Viktor> mysql-3.23.8, set up the database, and set a password for root. 

Viktor> In this fresh installation without any modifications, root@localhost's
Viktor> password was easily changed by user 'test', through issuing a GRANT
Viktor> with a IDENTIFIED BY-clause:

Viktor> palver(56)> bin/mysql -u test -p 
Viktor> Enter password: 
Viktor> Welcome to the MySQL monitor.  Commands end with ; or \g.
Viktor> Your MySQL connection id is 5 to server version: 3.23.8-alpha

Viktor> Type 'help' for help.

mysql> grant select on test.* to root@localhost identified by 'apa';
Viktor> Query OK, 0 rows affected (0.00 sec)

mysql> quit
Viktor> Bye

Viktor> After this, root@localhost has the mysql password 'apa'. Before
Viktor> executing the above statement, root@localhost had mysql password
Viktor> 'pelle'. I have not assigned any rights to user 'test'.

Viktor> Can someone confirm that I'm not just seeing things? :-) Does this
Viktor> work anywhere else as well?

Viktor> The problem _seems_ to be (although I'm _far_ to unknowleged about
Viktor> mysql internals to be able to say for sure) that GRANT does not
Viktor> properly check identities before updating passwords when a IDENTIFIED
Viktor> BY is given in the GRANT.

Hi!

Yes, this seems to be a fatal bug in the MySQL GRANT handling;  I will change
this at once and make a new release!  Thanks for reporting this!

Only users with update privilege to the mysql database should be able to
make a GRANT + IDENTIFIED BY command on someone else

I strongly recommend everyone to remove GRANT privilege for all users,
except root, until this is fixed!

The following patch will fix this for MySQL 3.22 and 3.23!

*** /my/monty/master/mysql-3.23.8-alpha/sql/sql_parse.cc	Fri Dec 31 13:53:03 1999
--- ./sql_parse.cc	Mon Jan 10 21:53:59 2000
***************
*** 1222,1227 ****
--- 1222,1246 ----
  		      tables ? &tables->grant.privilege : 0,
  		      tables ? 0 : 1))
         goto error;
+ 
+      /* Check that the user isn't trying to change a password for another
+ 	user if he doesn't have UPDATE privilege to the MySQL database */
+ 
+      List_iterator <LEX_USER> user_list(lex->users_list);
+      LEX_USER *user;
+      while ((user=user_list++))
+      {
+        if (user->password.str &&
+ 	   (strcmp(thd->user,user->user.str) ||
+ 	    user->host.str && my_strcasecmp(user->host.str,
+ 					    thd->host ? thd->host : thd->ip)))
+        {
+ 	 if (check_access(thd, UPDATE_ACL, "mysql",0,1))
+ 	   goto error;
+ 	 break;					// We are allowed to do changes
+        }
+      }
+ 
       if (tables)
       {
         if (grant_option && check_grant(thd,


Regards,
Monty