New user wrongly given access permissions to databases

Hi Martin,

Thanks for your bug report. I agree. It looks like this could have security implications. I've added an OSSA task to the bug and marked it incomplete pending confirmation from a member of the Trove coresec team.

Looks like it is a valid trove issue that I was able to reproduce. The crux of the issue is that when renaming a mysql db user, the grants that are associated with the previous username are preserved, so when the owner of the instance creates a new user with the old name — this new user inherits the grants that existed previously.

Imo it's more of a minor bug that's a surprising corner case only for mysql, and less of a concerning security issue for a few reasons:
- You need to have access to the (valid) trove creds that created the instance, and the first user in order to create the second user.
- The previously created user needs to be renamed to a different user name.
- The second user MUST have the same name as the previously created user.

Considering the attack vector is quite unrealistic, we are willing to mark this bug public security and remove the OSSA task next wednesday (2014/10/29) unless someone raises a concern.

Yeah: I don't think that its a major bug either. Mind you, when I discussed it with the database people at work they were horrified...

Marking this bug public security and removing the OSSA task...

Whilst I agree that it might not be a major security bug, I'm somewhat surprised that you've marked this as a "won't fix". MySQL is probably the database that is most likely to be deployed (does it also affect MariaDB?) Although unlikely, having new users potentially granted the rights of older users is one of those edge cases that might cause a lot of pain if triggered :(

The security advisory task is marked "won't fix" but the bug is still open against Trove and triaged as "high" priority.

Ah: My misunderstanding. Apologies - and thanks for the clarification!

On 18 November 2014 11:23, Jeremy Stanley <email address hidden> wrote:

> The security advisory task is marked "won't fix" but the bug is still
> open against Trove and triaged as "high" priority.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1380880
>
> Title:
> New user wrongly given access permissions to databases
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ossa/+bug/1380880/+subscriptions
>

--
=================================================================

Martin Paulo, BSc.
Software Developer

Tel : +61-3-9434 2508 (Home)
Tel : 04 205 20339 (Mobile)
Site: http://www.thepaulofamily.net

"Nobody goes there any more. It's too crowded" - Yogi Berra.

same is the problem if u try to update the host for a give user and recreate the older combination of user and host.

the reason this problem is occurring is because in order to update a user's name or host we are updating the mysql.user table.
However for every database access there goes a record in mysq.db which is left behind when we are updating the user info in mysql.user.

So, basically the mysql.db also needs a cleanup while updating mysql.user for username or hostname.

Fix proposed to branch: master
Review: https://review.openstack.org/137942

Sushil, do you have an update on a fix for this?

Change abandoned by amrith (<email address hidden>) on branch: master
Review: https://review.openstack.org/137942
Reason: abandoning for inactivity. Please reinstate if you are still working on this and address earlier comments.

So a fix for a security hole (albeit a minor one) is being abandoned? Sad.

Reviewed: https://review.openstack.org/343920
Committed: https://git.openstack.org/cgit/openstack/trove/commit/?id=dc7ccce006980cc3b6c908eb381088f61b0d8a5d
Submitter: Jenkins
Branch: master

commit dc7ccce006980cc3b6c908eb381088f61b0d8a5d
Author: Petr Malik <email address hidden>
Date: Mon Jul 18 16:23:23 2016 -0400

    Use proper queries to update user properties

    Bug 1380880 occurs when a user gets renamed
    and another one gets created wit its original name.

    It turns out that the new user wrongly inherits
    access rights of the original user.

    MySQL guest currently updates user properties by
    changing fields in the internal 'mysql' database.

    This patch set replaces the UPDATE with more generic
    SET PASSWORD and RENAME statements that should work on
    all MySQL versions.

    We no longer need to transfer privileges on a user name/host
    change since the RENAME statement does it for us under the covers.

    As an additional benefit this solution is also fully compatible
    with MySQL 5.7 which has changed the definition of the
    internal 'user' table and the current code no longer works.

    Closes-Bug: 1380880
    Change-Id: I37fdec77184715ed889d8ea6d446282c98903258

This issue was fixed in the openstack/trove 6.0.0.0b3 development milestone.

This issue was fixed in the openstack/trove 6.0.0.0b3 development milestone.