-
Shishir Jaiswal authored
DISPLAY PASSWORD HASH DESCRIPTION =========== As of now any user can view his password hash by executing SHOW CREATE USER. It should be viweable only if he has got enough privileges. ANALYSIS ======== append_user_new() generates the IDENTIFIED AS '<hash>' part of the output to SHOW CREATE USER. The user, if issues this statement for himself, should be able to view the password hash only if he can perform SELECT on mysql.user table. If he can't, he should see <secret> instead of password hash. FIX === We're now checking if or not the user is issuing the SHOW CREATE USER for himself in mysql_execute_command(). The same is captured in variable 'are_both_users_same' and passed to mysql_show_create_user(). If same, we now call check_table_access() to fetch privileges for the user and decide on if we need to hide the password or not. The same is captured in variable 'hide_password_hash'and passed to mysql_rewrite_create_alter_user() further to append_user_new() where we append either the hash or <secret> based on this variable. The bug was initially reported for both SHOW CREATE USER and SHOW GRANTS. This patch just deals with SHOW CREATE USER and not with the other. Reason being that SHOW GRANTS doesn't show the reported issue till 5.6 (as seen in matrix below) and from 5.7+ the IDENTIFIED BY PASSWORD clause was removed from it altogether. SELF OTHERS Access level [star].[star] hash hash mysql.[star] <secret> <secret> mysql.user <secret> Access denied default <secret> Access denied NOTE TO THE DOCUMENTATION TEAM ============================== The doc page says, "The statement requires the SELECT privilege for the mysql database, except to display information for the current user." This still holds true as this patch changes nothing for the case when user attempts to perform SHOW CREATE USER <other_user>. With this patch in effect, the documentation should be extended as, "For current user, the statement IDENTIFIED AS clause displays password hash if he can perform SELECT on mysql.user table. If he can't he would see <secret> instead of password hash.Shishir Jaiswal authoredDISPLAY PASSWORD HASH DESCRIPTION =========== As of now any user can view his password hash by executing SHOW CREATE USER. It should be viweable only if he has got enough privileges. ANALYSIS ======== append_user_new() generates the IDENTIFIED AS '<hash>' part of the output to SHOW CREATE USER. The user, if issues this statement for himself, should be able to view the password hash only if he can perform SELECT on mysql.user table. If he can't, he should see <secret> instead of password hash. FIX === We're now checking if or not the user is issuing the SHOW CREATE USER for himself in mysql_execute_command(). The same is captured in variable 'are_both_users_same' and passed to mysql_show_create_user(). If same, we now call check_table_access() to fetch privileges for the user and decide on if we need to hide the password or not. The same is captured in variable 'hide_password_hash'and passed to mysql_rewrite_create_alter_user() further to append_user_new() where we append either the hash or <secret> based on this variable. The bug was initially reported for both SHOW CREATE USER and SHOW GRANTS. This patch just deals with SHOW CREATE USER and not with the other. Reason being that SHOW GRANTS doesn't show the reported issue till 5.6 (as seen in matrix below) and from 5.7+ the IDENTIFIED BY PASSWORD clause was removed from it altogether. SELF OTHERS Access level [star].[star] hash hash mysql.[star] <secret> <secret> mysql.user <secret> Access denied default <secret> Access denied NOTE TO THE DOCUMENTATION TEAM ============================== The doc page says, "The statement requires the SELECT privilege for the mysql database, except to display information for the current user." This still holds true as this patch changes nothing for the case when user attempts to perform SHOW CREATE USER <other_user>. With this patch in effect, the documentation should be extended as, "For current user, the statement IDENTIFIED AS clause displays password hash if he can perform SELECT on mysql.user table. If he can't he would see <secret> instead of password hash.
Loading