Comments on: MySQL security tasks easily solved with common_schema

By: Which accounts can access this data? | Todd's MySQL Blog

Which accounts can access this data? | Todd's MySQL Blog — Wed, 16 Dec 2015 22:16:18 +0000

[…] can surprise even seasoned MySQL veterans, but the privilege system allows wildcard values in defining which databases users have access to, […]

By: common_schema: MySQL Security // RLASKEY::words

common_schema: MySQL Security // RLASKEY::words — Thu, 17 Jan 2013 20:53:44 +0000

[…] from Shlomi Noach. Very cool set of functions to audit your MySQL users and grants. It’s worth installing on your DB and running once or twice. It’s very easy to do, as you only need to download and import the SQL file, which creates its DB with various functions and views. […]

By: shlomi

shlomi — Thu, 17 Jan 2013 13:42:23 +0000

@joe, @Mrten

Thank you for pointing this out. I am shocked to find this in the documentation:

“The “_” and “%” wildcards are permitted when specifying database names in GRANT statements that grant privileges at the global or database levels. This means, for example, that if you want to use a “_” character as part of a database name, you should specify it as “\_” in the GRANT statement, to prevent the user from being able to access additional databases matching the wildcard pattern; for example, GRANT … ON `foo\_bar`.* TO ”

News to me.

The current code The code proposed in this post does not use “\_”, and in this respect @Mrten’s warning is irrelevant. But since I will have to fix the code, the warning WILL become relevant in future code. Also, this means a search would have to take place using LIKE instead of “=”.
Will update in common_schema.

By: Joe

Joe — Thu, 17 Jan 2013 13:23:07 +0000

I am not sure if it is a problem, but what @Mrten is trying to say is this.

root@mysql-5.1.51> create database a_b;

root@mysql-5.1.51> create database acb;

root@mysql-5.1.51> grant all privileges on a_b.* to ‘shu’@localhost;

Which schema would ‘shu’@localhost have access to? Both.

If you want the user to only have access to a_b you would have to do the following.

root@mysql-5.1.51> grant all privileges on a\_b.* to ‘shu’@localhost;

By: shlomi

shlomi — Thu, 17 Jan 2013 11:33:28 +0000

@Mrten, I'm sorry, I do not follow. See following: where's the problem with "_"?

root@mysql-5.1.51> create database a_b;

root@mysql-5.1.51> grant all privileges on a_b.* to 'shu'@localhost;

root@mysql-5.1.51> select * from sql_grants where user='shu' \G
*************************** 1. row ***************************
           GRANTEE: 'shu'@'localhost'
              user: shu
              host: localhost
        priv_level: *.*
   priv_level_name: user
     object_schema: NULL
       object_name: NULL
current_privileges: USAGE
      IS_GRANTABLE: NO
         sql_grant: GRANT USAGE ON *.* TO 'shu'@'localhost' IDENTIFIED BY PASSWORD ''
        sql_revoke:
     sql_drop_user: DROP USER 'shu'@'localhost'
*************************** 2. row ***************************
           GRANTEE: 'shu'@'localhost'
              user: shu
              host: localhost
        priv_level: `a_b`.*
   priv_level_name: schema
     object_schema: NULL
       object_name: a_b
current_privileges: ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, DELETE, DROP, EVENT, EXECUTE, INDEX, INSERT, LOCK TABLES, REFERENCES, SELECT, SHOW VIEW, TRIGGER, UPDATE
      IS_GRANTABLE: NO
         sql_grant: GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, DELETE, DROP, EVENT, EXECUTE, INDEX, INSERT, LOCK TABLES, REFERENCES, SELECT, SHOW VIEW, TRIGGER, UPDATE ON `a_b`.* TO 'shu'@'localhost'
        sql_revoke: REVOKE ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, DELETE, DROP, EVENT, EXECUTE, INDEX, INSERT, LOCK TABLES, REFERENCES, SELECT, SHOW VIEW, TRIGGER, UPDATE ON `a_b`.* FROM 'shu'@'localhost'
     sql_drop_user: DROP USER 'shu'@'localhost'
2 rows in set (0.01 sec)

root@mysql-5.1.51> select * from information_schema.schemata;
+--------------+--------------------+----------------------------+------------------------+----------+
| CATALOG_NAME | SCHEMA_NAME        | DEFAULT_CHARACTER_SET_NAME | DEFAULT_COLLATION_NAME | SQL_PATH |
+--------------+--------------------+----------------------------+------------------------+----------+
| NULL         | a_b                | utf8                       | utf8_general_ci        | NULL     |
...
+--------------+--------------------+----------------------------+------------------------+----------+
16 rows in set (0.00 sec)

By: Mrten

Mrten — Thu, 17 Jan 2013 11:27:33 +0000

Be careful with tables that have a _ in the name (mysql 5.1 here), they’ll show up because the name does not match (it has a \ in front of the _).

REVOKE [….] ON `it\_test`.* FROM […]

Do a dry run!

By: Mrten

Mrten — Thu, 17 Jan 2013 11:27:16 +0000

Be careful with tables that have a _ in the name (mysql 5.1 here), they’ll show up because the name does not match (it has a \ in front of the _).

REVOKE [….] ON `it\_test`.* FROM […]