HomeMySQL Stored Routines are setuid By Default

Reply to comment

MySQL Stored Routines are setuid By Default

Mon, 2009-06-15 05:00 — jason

By default, all views and stored routines in MySQL run with the privileges of the definer, not the invoker. This is equivalent to the setuid bit in Unix.

In the case where you need to provide execute permissions to stored routines (via EXECUTE) to a read-only user, it is possible to inadvertantly give your read-only user the ability to modify data. If the user has access to a stored routine that modifies data, then the user will be able to modify data.

If you provide the optional attribute "SQL SECURITY INVOKER" when creating the view or routine, MySQL will honor the permissions of the caller, not the definer, and restore the expected security model.

Reply

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>
  • Lines and paragraphs break automatically.
  • You may post PHP code. You should include <?php ?> tags.
  • Web page addresses and e-mail addresses turn into links automatically.
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>. The supported tag styles are: <foo>, [foo]. PHP source code can also be enclosed in <?php ... ?> or <% ... %>.
  • Images can be added to this post.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.