Virtualmin grants all privileges to all databases

Submitted by webinteractive on Sat, 05/26/2012 - 07:12

Hi,

When I create a new site, Virtualmin makes an entry for the site admin that grants all privileges on all databases. In the mysql database permissions (see attached screenshot), I see that the user is granted for the rights on his own database. But when I show the grants for the user in MySQL, I get the following:

+---------------------------------------------------------------------------------------+ | Grants for sv@% | +---------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON . TO 'sv'@'%' IDENTIFIED BY PASSWORD '14283675C7ACCD34EEE15E10323FE0C97B3B0907' WITH GRANT OPTION | | GRANT ALL PRIVILEGES ON sv. TO 'sv'@'%' WITH GRANT OPTION | | GRANT ALL PRIVILEGES ON sv\_cms.* TO 'sv'@'%' WITH GRANT OPTION | | GRANT ALL PRIVILEGES ON sv\_cms2.* TO 'sv'@'%' WITH GRANT OPTION | +---------------------------------------------------------------------------------------+ 4 rows in set (0.00 sec)

Am I missing something in my configuration?

Thanks in advance,

Joshua.

Status: 
Closed (works as designed)

Comments

Submitted by JamieCameron on Sat, 05/26/2012 - 11:29

The user should only be granted all privileges on his own databases, not all databases. That's what the screenshot you attached shows..

What command are you using to show those grants? Also, can you see this all-databases grant at Webmin -> Servers -> MySQL Database -> Database Permissions?

Submitted by webinteractive on Sat, 05/26/2012 - 12:51

I know that the user only should be granted for his own databases, that is why I find it so weird. The command I use to show the grants:

show grants for 'sv'@'%';

When I goto Webmin -> Servers -> MySQL Database -> Database Permissions, I see 6 entries for user 'sv'. See attached screenshots for details.

Submitted by JamieCameron on Sat, 05/26/2012 - 20:02

None of those screenshots show a grant for all databases though ..

Submitted by JamieCameron on Sat, 05/26/2012 - 20:06

I suspect that either the grant privileges output doesn't mean what you expect, or maybe it isn't in sync with the permissions in the db table in MySQL. You can try running flush privileges in MySQL to correct this.

Submitted by webinteractive on Sun, 05/27/2012 - 03:35

That is the whole point of my problem. And that is why I made screenshots of the Virtualmin-MySQL-privileges and the privileges in MySQL. To show you that they are not in sync. When I create a new site in Virtualmin, the site-admin is automatically granted for all databases. I can't find out why that is. I don't grant users in MySQL directly, I only grant privileges through Virtualmin. So the privileges in Virtualmin and MySQL should be in sync.

Submitted by JamieCameron on Sun, 05/27/2012 - 11:14

So does running "flush privileges" in MySQL correct this mismatch?

Virtualmin never updates grants directly - instead it modifies the mysql.user and mysql.db tables, then runs flush privileges.

Submitted by webinteractive on Sun, 05/27/2012 - 17:04

I tried "flush privileges", but to no avail. So any ideas why there is a "grant all privileges on ."? Is it something that is configurable in the Virtualmin-settings? I have enabled remote support on the virtualmin server. You can try to make a new site. You'll see that the created site-admin is able to see all databases. FYI, the db is on db.webinteractive.nl.

Submitted by JamieCameron on Sun, 05/27/2012 - 20:32

Have you tested if the sv user can actually access databases other than those owned by his domain?

Submitted by webinteractive on Mon, 05/28/2012 - 05:05

Offcourse. As user 'sv' I can see all databases, access all databases. I can use an other database and see all tables. And I am able to see the content of all databases.

Submitted by JamieCameron on Mon, 05/28/2012 - 15:32

Could you post here the output from the following commands, run in MySQL as root :

select * from mysql.user where user = 'sv';

select * from mysql.db where user = 'sv';

Submitted by JamieCameron on Wed, 05/30/2012 - 13:33

I think I see the issue here - in the user table, the sv user has been granted all permissions .. but they really shouldn't have any permissions. To fix this, go to Webmin -> Servers -> MySQL Database -> User permissions, click on sv and de-select everything in the Permissions field, then click Save. Then do the same for the other row for the sv user.

Permissions don't need to be granted at the user level, as they are granted for the user on each database.