I am not aware of any such bug related to the LOCK TABLES privilege.
Like you I could not find a mention in our bugs database, for any version.
It is easy to demonstrate that this is not the case. If permissions are
properly set up, LOCK TABLES can be restricted to a database just like
every other priv (makes sense, of course!).
On 5.0.20:
mysql grant select, insert, update, delete, lock tables on dl.* to
'bar'@'localhost' identified by 'bar';
mysql show grants for 'bar'@'localhost';
++
| Grants for [EMAIL PROTECTED]
|
++
| GRANT USAGE ON *.* TO 'bar'@'localhost' IDENTIFIED BY PASSWORD
'*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB' |
| GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES ON `dl`.* TO
'bar'@'localhost' |
++
2 rows in set (0.00 sec)
mysql show databases;
++
| Database |
++
| information_schema |
| dl |
++
2 rows in set (0.00 sec)
--
Eric Braswell
Web Manager MySQL AB
Cupertino, USA
James Harvard wrote:
I'm using MySQL as the db for Drupal (PHP based CMS), on shared hosting. There
are repeated errors because the db user does not have permission for LOCK
TABLES, which Drupal uses.
The ISP says that they don't grant this permission because ...
MySQL has a bug which allows users with GrantTables* the ability to view the
Database names of all other databases on the server. Whilst the users can not see any
other data, knowing the names of tables can facilitate attacks.
(* = I assume they meant 'Lock Tables')
However I can't find any mention of this in the bugs db, nor is it listed in
the manual as a side effect of granting 'lock tables' permissions.
Does anyone know if it is a bug or not? Does anyone know whether LOCK TABLES
really is a security risk in a shared server / multi-user environment?
TIA,
James Harvard
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
