Bug #3933 one can grant privileges on the db he has no privileges on
Submitted: 29 May 2004 21:25 Modified: 19 Sep 2004 20:32
Reporter: Sergei Golubchik
Status: Closed
Category:Server Severity:S2 (Serious)
Version:4.0 OS:
Assigned to: Sergei Golubchik Target Version:

[29 May 2004 21:25] Sergei Golubchik 
Description:
one can grant privileges on the db he has no privileges on, if he is granted privileges on
the db with the underscore in the name.

How to repeat:
GRANT ... ON 'some\_db' TO eviluser WITH GRANT OPTION;

eviluser can access only some_db.
now as eviluser:

GRANT ... ON 'some_db' TO eviluser2;

eviluser2 has access to some1db, some2db, etc.

Additionally, eviluser can *not* grant privileges on 'some\_db'.
[29 May 2004 21:26] Sergei Golubchik 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

fixed in 4.0.21
[19 Sep 2004 18:52] Christian Hammers 
Hello

Is there a diff for 3.23?
Debian stable aka "woody" was released with this branch and I can't find a reference to
this bug in bitkeeper nor internals-l.

bye,

-christian- aka <ch@debian.org>
[19 Sep 2004 20:32] Sergei Golubchik 
http://mysql.bkbits.net:8080/mysql-4.0/patch@1.1844.5.1

cannot you rather upgrade to 4.0 ?