Bug #38052 MEM inappropriately recommends skip-show-database
Submitted: 11 Jul 2008 16:06 Modified: 11 Nov 2008 14:09
Reporter: Dean Ellis Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Advisors/Rules Severity:S3 (Non-critical)
Version:1.x,2.0 OS:Any
Assigned to: Andy Bang CPU Architecture:Any

[11 Jul 2008 16:06] Dean Ellis
Description:
MEM alert, "INFO Alert - Users Can View All Databases On MySQL Server   (v 1.5 *)" from the Security advisor is simply mistaken.

Default server behavior allows users to see databases on which they have privileges, *not* "all databases on server".

Using skip-show-database will prevent users from issuing SHOW DATABASES statements unless they have the "SHOW DATABASE" privilege, which *then would* allow the user to see all databases on the server.

How to repeat:
Hopefully obvious.

Suggested fix:
This should simply be removed.  It's a wrong recommendation.  "SHOW DATABASE" has been sane since MySQL 4.0.2.
[11 Jul 2008 16:08] Mark Leith
Verified as described.
[29 Jul 2008 23:10] Andy Bang
How about if we limit it to only fire for MySQL servers before 4.0.2?
[13 Oct 2008 22:31] Andy Bang
In 1.3: Committed revision 9211.

In 2.0: Pushed up to revision 228.
[15 Oct 2008 14:29] Keith Russell
Patch applied in versions => 2.0.0.7076.
[15 Oct 2008 15:39] Keith Russell
Patch applies to versions _> 1.3.0.9213.
[23 Oct 2008 0:13] Bill Weber
fixed in Advisor bundles 1.3.0.9217 and 2.0.0.7083
[11 Nov 2008 14:09] Tony Bedford
An entry was added to the 1.3 and 2.0 changelogs:

The MySQL Enterprise Monitor alert “INFO Alert - Users Can View All Databases On MySQL Server (v 1.5 *)” from the Security advisor was incorrect. This is because the default server behavior allows users to see databases for which they have privileges, not “all databases on server” as suggested by the alert.