https://bugs.documentfoundation.org/show_bug.cgi?id=163370
Bug ID: 163370
Summary: MySQL / MariaDB direct database connection with
generic user privileges is a security breach
Product: LibreOffice
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Base
Assignee: [email protected]
Reporter: [email protected]
Created attachment 196992
--> https://bugs.documentfoundation.org/attachment.cgi?id=196992&action=edit
MariaDB databases for a connection with all user privileges
1. Database Wizard
2. connect to an existing database: MySQL/MariaDB
3. connect directly
4. server data:
database name: microresto (can be any...)
server: localhost
5. user name / authentication:
I use a user with global privileges, connection is ok
6. Database is registered and opened, saved as MicroResto_with_all_rights.odb
7. in the tables ALL MariaDB databases are shown, even those having nothing to
do with the project.
8. all of them can be edited, deleted, whatever!
9. the tables are shown exactly according to the user privileges of the
database
10. anyone with BASE installed can change ALL THE DATABASES, even the system
tables, if he knows the root login or another admin login with enough
privileges.
11. the only remedy is to set up specific user rights for one specific database
and use these for the connection - this is the only way to show only the
specific database and their tables.
12. why is in step 4 the database name requested when the user privileges
supersede everything?
13. ONLY the Database Name selected in step 4 should be accessed by BASE and
NOTHING ELSE!
14. this is a security breech par excellence (in my opinion).
15. the hint how to set up only the connection for one specific database should
be shown in the database wizard
screenshot attached
--
You are receiving this mail because:
You are the assignee for the bug.
