Relevant Content
Tags in Topic
User login
Custom Search
MySQL Stored Routines are setuid By Default
Mon, 2009-06-15 05:00 — jason
By default, all views and stored routines in MySQL run with the privileges of the definer, not the invoker. This is equivalent to the setuid bit in Unix.
In the case where you need to provide execute permissions to stored routines (via EXECUTE) to a read-only user, it is possible to inadvertantly give your read-only user the ability to modify data. If the user has access to a stored routine that modifies data, then the user will be able to modify data.
If you provide the optional attribute "SQL SECURITY INVOKER" when creating the view or routine, MySQL will honor the permissions of the caller, not the definer, and restore the expected security model.
Recent comments
2 days 11 hours ago
2 days 11 hours ago
3 days 7 hours ago
1 week 1 day ago
1 week 1 day ago
2 weeks 22 hours ago
9 weeks 3 days ago
13 weeks 4 days ago
16 weeks 2 days ago
16 weeks 4 days ago