Bug #20901: CREATE privilege is enough to insert into a table

CREATE TABLE IF NOT EXISTS ... SELECT let you insert into an existing
table as long as you had the CREATE privilege.  CREATE ... SELECT
variants now always require INSERT privilege on target table.
parent fa219200
...@@ -701,3 +701,41 @@ t2 CREATE TABLE `t2` ( ...@@ -701,3 +701,41 @@ t2 CREATE TABLE `t2` (
drop table t1, t2; drop table t1, t2;
create table t1(a set("a,b","c,d") not null); create table t1(a set("a,b","c,d") not null);
ERROR HY000: Illegal set 'a,b' value found during parsing ERROR HY000: Illegal set 'a,b' value found during parsing
create database mysqltest;
use mysqltest;
grant create on mysqltest.* to mysqltest@localhost;
create table t1 (i INT);
insert into t1 values (1);
ERROR 42000: Access denied for user 'mysqltest'@'localhost' to database 'mysqltest'
create table t2 (i INT);
create table t4 (i INT);
grant select, insert on mysqltest.t2 to mysqltest@localhost;
grant insert on mysqltest.t4 to mysqltest@localhost;
grant create, insert on mysqltest.t5 to mysqltest@localhost;
grant create, insert on mysqltest.t6 to mysqltest@localhost;
flush privileges;
insert into t2 values (1);
create table if not exists t1 select * from t2;
ERROR 42000: INSERT command denied to user 'mysqltest'@'localhost' for table 't1'
create table if not exists t3 select * from t2;
ERROR 42000: INSERT command denied to user 'mysqltest'@'localhost' for table 't3'
create table if not exists t4 select * from t2;
Warnings:
Note 1050 Table 't4' already exists
create table if not exists t5 select * from t2;
create table t6 select * from t2;
create table t7 select * from t2;
ERROR 42000: INSERT command denied to user 'mysqltest'@'localhost' for table 't7'
create table t4 select * from t2;
ERROR 42S01: Table 't4' already exists
create table t1 select * from t2;
ERROR 42000: INSERT command denied to user 'mysqltest'@'localhost' for table 't1'
drop table t1,t2,t4,t5,t6;
revoke create on mysqltest.* from mysqltest@localhost;
revoke select, insert on mysqltest.t2 from mysqltest@localhost;
revoke insert on mysqltest.t4 from mysqltest@localhost;
revoke create, insert on mysqltest.t5 from mysqltest@localhost;
revoke create, insert on mysqltest.t6 from mysqltest@localhost;
flush privileges;
drop database mysqltest;
use test;
...@@ -349,12 +349,12 @@ show grants for grant_user@localhost; ...@@ -349,12 +349,12 @@ show grants for grant_user@localhost;
Grants for grant_user@localhost Grants for grant_user@localhost
GRANT USAGE ON *.* TO 'grant_user'@'localhost' GRANT USAGE ON *.* TO 'grant_user'@'localhost'
GRANT INSERT (a, d, c, b) ON `test`.`t1` TO 'grant_user'@'localhost' GRANT INSERT (a, d, c, b) ON `test`.`t1` TO 'grant_user'@'localhost'
select Host,Db,User,Table_name,Column_name,Column_priv from mysql.columns_priv; select Host,Db,User,Table_name,Column_name,Column_priv from mysql.columns_priv order by Column_name;
Host Db User Table_name Column_name Column_priv Host Db User Table_name Column_name Column_priv
localhost test grant_user t1 b Insert
localhost test grant_user t1 d Insert
localhost test grant_user t1 a Insert localhost test grant_user t1 a Insert
localhost test grant_user t1 b Insert
localhost test grant_user t1 c Insert localhost test grant_user t1 c Insert
localhost test grant_user t1 d Insert
revoke ALL PRIVILEGES on t1 from grant_user@localhost; revoke ALL PRIVILEGES on t1 from grant_user@localhost;
show grants for grant_user@localhost; show grants for grant_user@localhost;
Grants for grant_user@localhost Grants for grant_user@localhost
......
...@@ -609,4 +609,80 @@ drop table t1, t2; ...@@ -609,4 +609,80 @@ drop table t1, t2;
--error 1105 --error 1105
create table t1(a set("a,b","c,d") not null); create table t1(a set("a,b","c,d") not null);
#
# Bug #20901 - CREATE privilege is enough to insert into a table
#
create database mysqltest;
use mysqltest;
grant create on mysqltest.* to mysqltest@localhost;
create table t1 (i INT);
connect (user1,localhost,mysqltest,,mysqltest);
connection user1;
# show we don't have INSERT
--error 1044
insert into t1 values (1);
# show we have CREATE
create table t2 (i INT);
create table t4 (i INT);
connection default;
grant select, insert on mysqltest.t2 to mysqltest@localhost;
grant insert on mysqltest.t4 to mysqltest@localhost;
# to specify ACLs for non-existent objects, must explictly |CREATE
grant create, insert on mysqltest.t5 to mysqltest@localhost;
grant create, insert on mysqltest.t6 to mysqltest@localhost;
flush privileges;
connection user1;
insert into t2 values (1);
# CREATE IF NOT EXISTS...SELECT, t1 exists, no INSERT, must fail
--error 1142
create table if not exists t1 select * from t2;
# CREATE IF NOT EXISTS...SELECT, no t3 yet, no INSERT, must fail
--error 1142
create table if not exists t3 select * from t2;
# CREATE IF NOT EXISTS...SELECT, t4 exists, have INSERT, must succeed
create table if not exists t4 select * from t2;
# CREATE IF NOT EXISTS...SELECT, no t5 yet, have INSERT, must succeed
create table if not exists t5 select * from t2;
# CREATE...SELECT, no t6 yet, have INSERT, must succeed
create table t6 select * from t2;
# CREATE...SELECT, no t7 yet, no INSERT, must fail
--error 1142
create table t7 select * from t2;
# CREATE...SELECT, t4 exists, have INSERT, must still fail (exists)
--error 1050
create table t4 select * from t2;
# CREATE...SELECT, t1 exists, no INSERT, must fail
--error 1142
create table t1 select * from t2;
connection default;
drop table t1,t2,t4,t5,t6;
revoke create on mysqltest.* from mysqltest@localhost;
revoke select, insert on mysqltest.t2 from mysqltest@localhost;
revoke insert on mysqltest.t4 from mysqltest@localhost;
revoke create, insert on mysqltest.t5 from mysqltest@localhost;
revoke create, insert on mysqltest.t6 from mysqltest@localhost;
flush privileges;
disconnect user1;
drop database mysqltest;
use test;
# End of 4.1 tests # End of 4.1 tests
...@@ -296,7 +296,7 @@ DROP DATABASE testdb10; ...@@ -296,7 +296,7 @@ DROP DATABASE testdb10;
create table t1(a int, b int, c int, d int); create table t1(a int, b int, c int, d int);
grant insert(b), insert(c), insert(d), insert(a) on t1 to grant_user@localhost; grant insert(b), insert(c), insert(d), insert(a) on t1 to grant_user@localhost;
show grants for grant_user@localhost; show grants for grant_user@localhost;
select Host,Db,User,Table_name,Column_name,Column_priv from mysql.columns_priv; select Host,Db,User,Table_name,Column_name,Column_priv from mysql.columns_priv order by Column_name;
revoke ALL PRIVILEGES on t1 from grant_user@localhost; revoke ALL PRIVILEGES on t1 from grant_user@localhost;
show grants for grant_user@localhost; show grants for grant_user@localhost;
select Host,Db,User,Table_name,Column_name,Column_priv from mysql.columns_priv; select Host,Db,User,Table_name,Column_name,Column_priv from mysql.columns_priv;
......
...@@ -5832,8 +5832,15 @@ int create_table_precheck(THD *thd, TABLE_LIST *tables, ...@@ -5832,8 +5832,15 @@ int create_table_precheck(THD *thd, TABLE_LIST *tables,
int error= 1; // Error message is given int error= 1; // Error message is given
DBUG_ENTER("create_table_precheck"); DBUG_ENTER("create_table_precheck");
/*
Require CREATE [TEMPORARY] privilege on new table; for
CREATE TABLE ... SELECT, also require INSERT.
*/
want_priv= ((lex->create_info.options & HA_LEX_CREATE_TMP_TABLE) ? want_priv= ((lex->create_info.options & HA_LEX_CREATE_TMP_TABLE) ?
CREATE_TMP_ACL : CREATE_ACL); CREATE_TMP_ACL : CREATE_ACL) |
(select_lex->item_list.elements ? INSERT_ACL : 0);
if (check_access(thd, want_priv, create_table->db, if (check_access(thd, want_priv, create_table->db,
&create_table->grant.privilege, 0, 0) || &create_table->grant.privilege, 0, 0) ||
check_merge_table_access(thd, create_table->db, check_merge_table_access(thd, create_table->db,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment