Bug #3933 one can grant privileges on the db he has no privileges on
Submitted: 29 May 2004 19:25 Modified: 19 Sep 2004 18:32
Reporter: Sergei Golubchik Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.0 OS:
Assigned to: Sergei Golubchik CPU Architecture:Any

[29 May 2004 19:25] Sergei Golubchik
Description:
one can grant privileges on the db he has no privileges on, if he is granted privileges on the db with the underscore in the name.

How to repeat:
GRANT ... ON 'some\_db' TO eviluser WITH GRANT OPTION;

eviluser can access only some_db.
now as eviluser:

GRANT ... ON 'some_db' TO eviluser2;

eviluser2 has access to some1db, some2db, etc.

Additionally, eviluser can *not* grant privileges on 'some\_db'.
[29 May 2004 19:26] Sergei Golubchik
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

fixed in 4.0.21
[19 Sep 2004 16:52] Christian Hammers
Hello

Is there a diff for 3.23?
Debian stable aka "woody" was released with this branch and I can't find a reference to this bug in bitkeeper nor internals-l.

bye,

-christian- aka <ch@debian.org>
[19 Sep 2004 18:32] Sergei Golubchik
http://mysql.bkbits.net:8080/mysql-4.0/patch@1.1844.5.1

cannot you rather upgrade to 4.0 ?
[26 Jun 2012 14:41] Georgy Vassilev
We have same problem in mysql version 5.0 and 5.5