Bug 163370 - MySQL / MariaDB direct database connection with generic user privileges is a security breach
Summary: MySQL / MariaDB direct database connection with generic user privileges is a ...
Status: RESOLVED INVALID
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Base (show other bugs)
Version:
(earliest affected)
24.8.2.1 release
Hardware: x86-64 (AMD64) Windows (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2024-10-10 03:08 UTC by A.v.Essen
Modified: 2024-10-22 15:10 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:

Attachments
MariaDB databases for a connection with all user privileges (8.11 KB, image/jpeg)
2024-10-10 03:08 UTC, A.v.Essen 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description A.v.Essen 2024-10-10 03:08:49 UTC 
Created attachment 196992 [details]
MariaDB databases for a connection with all user privileges

1. Database Wizard
2. connect to an existing database: MySQL/MariaDB
3. connect directly
4. server data: 
   database name: microresto (can be any...)
   server: localhost
5. user name / authentication:
   I use a user with global privileges, connection is ok
6. Database is registered and opened, saved as MicroResto_with_all_rights.odb
7. in the tables ALL MariaDB databases are shown, even those having nothing to do with the project.
8. all of them can be edited, deleted, whatever!
9. the tables are shown exactly according to the user privileges of the database
10. anyone with BASE installed can change ALL THE DATABASES, even the system tables, if he knows the root login or another admin login with enough privileges.
11. the only remedy is to set up specific user rights for one specific database and use these for the connection - this is the only way to show only the specific database and their tables.
12. why is in step 4 the database name requested when the user privileges supersede everything?
13. ONLY the Database Name selected in step 4 should be accessed by BASE and NOTHING ELSE!
14. this is a security breech par excellence (in my opinion).
15. the hint how to set up only the connection for one specific database should be shown in the database wizard

screenshot attached
Comment 1 Robert Großkopf 2024-10-10 06:00:53 UTC 
The connector shows all databases the user is allowed to see by the the database. Have just tested with different users here. 
One only allowed to write and read in 2 databases - only this 2 databases will be shown in Base.
Next allowed to write to 6 databases. This databases will be shown in Base.

It is the same behavior, for example, in phpMyAdmin.

If you don't want a user to connect, read, write and delete to any database, you have to change it in MariaDB/MySQL. This couldn't be changed in a driver, which only connects to the database and show this allowed databases.

You could set the table filter in Tools → Tablefilter. So the choosen tables won't be shown. But the database you could connect to as the special user will be shown.
Comment 2 Buovjaga 2024-10-10 06:49:55 UTC 
Closing per last comment.
Comment 3 Alex Thurgood 2024-10-22 15:10:43 UTC 
Pretty certain that this was a duplicate anyway. The behaviour was discussed in previous bug report