Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36399

SET SESSION AUTHORIZATION allows an unrpivileged user to bypass resource limits

    XMLWordPrintable

Details

    Description

      According to the specification of MDEV-20299,
      a) any user can do SET SESSION AUTHORIZATION to their own account; and
      b) it'll bypass account lock, expired password, authentication, REQUIRE SSL checks, etc.

      For the items explicitly listed in (b) one can say that if the user is already logged in, it doesn't matter; but currently "etc" also involves resource limits (e.g. MAX_QUERIES_PER_HOUR). It makes the limits meaningless, because the user can always get around them by doing SET SESSION AUTHORIZATION while still within the limits, and then enjoying the unlimited plan.

      I don't see how it can be justified by being able to do the same via SP, because such users may not have permissions to create/execute SPs.

      CREATE USER goodguy WITH MAX_QUERIES_PER_HOUR 2;
      		 
      CREATE USER cheater WITH MAX_QUERIES_PER_HOUR 2;
      		 
      --connect (con1,localhost,goodguy,,)
      		 
      SELECT 1 AS goodguy_1;
      		 
      SELECT 2 AS goodguy_2;
      		 
      --error ER_USER_LIMIT_REACHED
      		 
      SELECT 3 AS goodguy_3;
      		 
      --disconnect con1
      		 
      --connect (con1,localhost,cheater,,)
      		 
       
      		 
      SET SESSION AUTHORIZATION cheater@localhost;
      		 
      SELECT 1 AS cheater_1;
      		 
      SELECT 2 AS cheater_2;
      		 
      --echo # Now it should start failing, but it works
      		 
      SELECT 3 AS cheater_3;
      		 
      SELECT 4 AS cheater_4;
      		 
      --disconnect con1
      		 
       
      		 
      --connection default
      		 
      DROP USER goodguy;
      		 
      DROP USER cheater;

      d4c600f804af677ac3177497b3770dbd67c448f7

      		 
      SELECT 1 AS goodguy_1;
      		 
      goodguy_1
      		 
      1
      		 
      SELECT 2 AS goodguy_2;
      		 
      goodguy_2
      		 
      2
      		 
      SELECT 3 AS goodguy_3;
      		 
      ERROR 42000: User 'goodguy' has exceeded the 'max_queries_per_hour' resource (current value: 2)
      		 
      disconnect con1;
      		 
      connect  con1,localhost,cheater,,;
      		 
      SET SESSION AUTHORIZATION cheater@localhost;
      		 
      SELECT 1 AS cheater_1;
      		 
      cheater_1
      		 
      1
      		 
      SELECT 2 AS cheater_2;
      		 
      cheater_2
      		 
      2
      		 
      # Now it should start failing, but it works
      		 
      SELECT 3 AS cheater_3;
      		 
      cheater_3
      		 
      3
      		 
      SELECT 4 AS cheater_4;
      		 
      cheater_4
      		 
      4

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-20299 SET SESSION AUTHORIZATION

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              serg Sergei Golubchik
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.