From 74b7ce9dcf93b1f37597ded6e6990d1e993a3b68 Mon Sep 17 00:00:00 2001 From: Robin Miller Date: Tue, 5 May 2015 17:54:02 -0500 Subject: [PATCH 1/2] Only revoke actually granted permissions, not 'ALL'. This prevents errors when the login_user does not have 'ALL' permissions, and the 'priv' value contains fewer permissions than are held by an existing user. This is particularly an issue when using an Amazon Web Services RDS instance, as there is no (accessible) user with 'ALL' permissions on *.*. --- database/mysql/mysql_user.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/database/mysql/mysql_user.py b/database/mysql/mysql_user.py index ba5b6370f1b..824f2b47d3f 100644 --- a/database/mysql/mysql_user.py +++ b/database/mysql/mysql_user.py @@ -245,7 +245,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs): grant_option = True if db_table not in new_priv: if user != "root" and "PROXY" not in priv and not append_privs: - privileges_revoke(cursor, user,host,db_table,grant_option) + privileges_revoke(cursor, user,host,db_table,priv,grant_option) changed = True # If the user doesn't currently have any privileges on a db.table, then @@ -262,7 +262,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs): priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table]) if (len(priv_diff) > 0): if not append_privs: - privileges_revoke(cursor, user,host,db_table,grant_option) + privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option) privileges_grant(cursor, user,host,db_table,new_priv[db_table]) changed = True @@ -342,7 +342,7 @@ def privileges_unpack(priv): return output -def privileges_revoke(cursor, user,host,db_table,grant_option): +def privileges_revoke(cursor, user,host,db_table,priv,grant_option): # Escape '%' since mysql db.execute() uses a format string db_table = db_table.replace('%', '%%') if grant_option: @@ -350,7 +350,8 @@ def privileges_revoke(cursor, user,host,db_table,grant_option): query.append("FROM %s@%s") query = ' '.join(query) cursor.execute(query, (user, host)) - query = ["REVOKE ALL PRIVILEGES ON %s" % mysql_quote_identifier(db_table, 'table')] + priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv)) + query = ["REVOKE %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))] query.append("FROM %s@%s") query = ' '.join(query) cursor.execute(query, (user, host)) From cda7a9be1592c82fd9c824185507d4ad3cbb5a5b Mon Sep 17 00:00:00 2001 From: Robin Miller Date: Tue, 26 May 2015 12:36:46 -0500 Subject: [PATCH 2/2] Replaced lambda functions with list comprehensions. --- database/mysql/mysql_user.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/database/mysql/mysql_user.py b/database/mysql/mysql_user.py index 824f2b47d3f..afebd0a00c3 100644 --- a/database/mysql/mysql_user.py +++ b/database/mysql/mysql_user.py @@ -350,7 +350,7 @@ def privileges_revoke(cursor, user,host,db_table,priv,grant_option): query.append("FROM %s@%s") query = ' '.join(query) cursor.execute(query, (user, host)) - priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv)) + priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')]) query = ["REVOKE %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))] query.append("FROM %s@%s") query = ' '.join(query) @@ -360,7 +360,7 @@ def privileges_grant(cursor, user,host,db_table,priv): # Escape '%' since mysql db.execute uses a format string and the # specification of db and table often use a % (SQL wildcard) db_table = db_table.replace('%', '%%') - priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv)) + priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')]) query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))] query.append("TO %s@%s") if 'GRANT' in priv: