Re: MySQL lock tables - bug or not?

Fri, 28 Jul 2006 10:56:05 -0700

I am not aware of any such bug related to the LOCK TABLES privilege. Like you I could not find a mention in our bugs database, for any version.
It is easy to demonstrate that this is not the case. If permissions are properly set up, LOCK TABLES can be restricted to a database just like every other priv (makes sense, of course!). 

On 5.0.20:


mysql> grant select, insert, update, delete, lock tables on dl.* to 
'bar'@'localhost' identified by 'bar';


mysql> show grants for 'bar'@'localhost';
+------------------------------------------------------------------------------------------------------------+

| Grants for [EMAIL PROTECTED] 
                                     |

+------------------------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'bar'@'localhost' IDENTIFIED BY PASSWORD 
'*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB' |
| GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES ON `dl`.* TO 
'bar'@'localhost'                           |

+------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)


mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dl                 |
+--------------------+
2 rows in set (0.00 sec)


--
Eric Braswell
Web Manager     MySQL AB
Cupertino, USA



James Harvard wrote:

I'm using MySQL as the db for Drupal (PHP based CMS), on shared hosting. There 
are repeated errors because the db user does not have permission for LOCK 
TABLES, which Drupal uses.

The ISP says that they don't grant this permission because ...

"MySQL has a bug which allows users with GrantTables* the ability to view the 
Database names of all other databases on the server. Whilst the users can not see any 
other data, knowing the names of tables can facilitate attacks."

(* = I assume they meant 'Lock Tables')

However I can't find any mention of this in the bugs db, nor is it listed in 
the manual as a side effect of granting 'lock tables' permissions.

Does anyone know if it is a bug or not? Does anyone know whether LOCK TABLES 
really is a security risk in a shared server / multi-user environment?

TIA,
James Harvard





--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]























					Reply via email to