HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Disabling "SHOW TABLES;" on mysql

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
showdisablingmysqltables

Problem

I have been looking all over the web now, and can not seem to find the option to disable this command. I think this is quite a risky security hole.

There is an option to disable SHOW DATABASES; , but not SHOW TABLES;

Maybe some of you had

Solution

As far as I know you cannot disable SHOW TABLES, but if you have only assigned permissions to tables that the user should be able to access, I don't see how there is a security issue. A user cannot list tables to which he has no permissions.

root@beren [~]# mysql -u root -p
Enter password:

mysql> use foo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------+
| Tables_in_foo |
+---------------+
| bar           |
| baz           |
+---------------+
2 rows in set (0.00 sec)

mysql> create user 'quux'@'localhost' identified by '*******';
Query OK, 0 rows affected (0.00 sec)

mysql> grant select on table foo.bar to 'quux'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.02 sec)

mysql> exit
Bye
root@beren [~]# mysql -u quux -p foo
Enter password:

mysql> show tables;
+---------------+
| Tables_in_foo |
+---------------+
| bar           |
+---------------+
1 row in set (0.00 sec)

mysql>

Code Snippets

root@beren [~]# mysql -u root -p
Enter password:

<-- SNIP -->

mysql> use foo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------+
| Tables_in_foo |
+---------------+
| bar           |
| baz           |
+---------------+
2 rows in set (0.00 sec)

mysql> create user 'quux'@'localhost' identified by '*******';
Query OK, 0 rows affected (0.00 sec)

mysql> grant select on table foo.bar to 'quux'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.02 sec)

mysql> exit
Bye
root@beren [~]# mysql -u quux -p foo
Enter password:

<-- SNIP -->

mysql> show tables;
+---------------+
| Tables_in_foo |
+---------------+
| bar           |
+---------------+
1 row in set (0.00 sec)

mysql>

Context

StackExchange Database Administrators Q#33659, answer score: 5

Revisions (0)

No revisions yet.