Rechercher dans le manuel MySQL
24.6 Access Control for Stored Programs and Views
Stored programs and views are defined prior to use and, when
referenced, execute within a security context that determines
their privileges. These privileges are controlled by their
DEFINER attribute, and, if there is one, their
SQL SECURITY characteristic.
All stored programs (procedures, functions, triggers, and events)
and views can have a DEFINER attribute that
names a MySQL account. If the DEFINER attribute
is omitted from a stored program or view definition, the default
account is the user who creates the object.
In addition, stored routines (procedures and functions) and views
can have an SQL SECURITY characteristic with a
value of DEFINER or INVOKER
to specify whether the object executes in definer or invoker
context. If the SQL SECURITY characteristic is
omitted, the default is definer context.
Triggers and events have no SQL SECURITY
characteristic and always execute in definer context. The server
invokes these objects automatically as necessary, so there is no
invoking user.
Definer and invoker security contexts differ as follows:
A stored program or view that executes in definer security context executes with the privileges of the account named by its
DEFINERattribute. These privileges may be entirely different from those of the invoking user. The invoker must have appropriate privileges to reference the object (for example,EXECUTEto call a stored procedure orSELECTto select from a view), but when the object executes, the invoker's privileges are ignored and only theDEFINERaccount privileges matter. If this account has few privileges, the object is correspondingly limited in the operations it can perform. If theDEFINERaccount is highly privileged (such as arootaccount), the object can perform powerful operations no matter who invokes it.A stored routine or view that executes in invoker security context can perform only operations for which the invoker has privileges. The
DEFINERattribute can be specified but has no effect for objects that execute in invoker context.
Consider the following stored procedure:
- END;
Any user who has the EXECUTE
privilege for p1 can invoke it with a
CALL statement. However, when
p1 executes, it does so in definer security
context and thus executes with the privileges of
'admin'@'localhost', the account named in the
DEFINER attribute. This account must have the
EXECUTE privilege for
p1 as well as the
UPDATE privilege for the table
t1. Otherwise, the procedure fails.
Now consider this stored procedure, which is identical to
p1 except that its SQL
SECURITY characteristic is INVOKER:
- END;
p2, unlike p1, executes in
invoker security context. The DEFINER attribute
is irrelevant and p2 executes with the
privileges of the invoking user. p2 fails if
the invoker lacks the EXECUTE
privilege for p2 or the
UPDATE privilege for the table
t1.
MySQL uses the following rules to control which accounts a user
can specify in an object DEFINER attribute:
You can specify a
DEFINERvalue other than your own account only if you have theSET_USER_IDorSUPERprivilege.If you do not have the
SET_USER_IDorSUPERprivilege, the only legal user value is your own account, either specified literally or by usingCURRENT_USER. You cannot set the definer to some other account.
To minimize the risk potential for stored program and view creation and use, follow these guidelines:
For a stored routine or view, use
SQL SECURITY INVOKERin the object definition when possible so that it can be used only by users with permissions appropriate for the operations performed by the object.If you create definer-context stored programs or views while using an account that has the
SET_USER_IDorSUPERprivilege, specify an explicitDEFINERattribute that names an account possessing only the privileges required for the operations performed by the object. Specify a highly privilegedDEFINERaccount only when absolutely necessary.Administrators can prevent users from specifying highly privileged
DEFINERaccounts by not granting them theSET_USER_IDorSUPERprivilege.Definer-context objects should be written keeping in mind that they may be able to access data for which the invoking user has no privileges. In some cases, you can prevent reference to these objects by not granting unauthorized users particular privileges:
However, no such control exists for triggers because users do not reference them directly. A trigger always executes in definer context and is activated by access to the table with which it is associated, even ordinary table accesses by users with no special privileges. If the
DEFINERaccount is highly privileged, the trigger can perform sensitive or dangerous operations. This remains true if theSET_USER_ID(orSUPER) andTRIGGERprivileges needed to create the trigger are revoked from the account of the user who created it. Administrators should be especially careful about granting users that combination of privileges.
Traduction non disponible
Le manuel MySQL n'est pas encore traduit en français sur l'infobrol. Seule la version anglaise est disponible pour l'instant.
Document créé le 26/06/2006, dernière modification le 26/10/2018
Source du document imprimé : https://www.gaudry.be/mysql-rf-stored-programs-security.html
L'infobrol est un site personnel dont le contenu n'engage que moi. Le texte est mis à disposition sous licence CreativeCommons(BY-NC-SA). Plus d'info sur les conditions d'utilisation et sur l'auteur.
Références
Ces références et liens indiquent des documents consultés lors de la rédaction de cette page, ou qui peuvent apporter un complément d'information, mais les auteurs de ces sources ne peuvent être tenus responsables du contenu de cette page.
L'auteur de ce site est seul responsable de la manière dont sont présentés ici les différents concepts, et des libertés qui sont prises avec les ouvrages de référence. N'oubliez pas que vous devez croiser les informations de sources multiples afin de diminuer les risques d'erreurs.
