Description:
EXTRA_ACL is documented in sql_parse.cc as

 The idea of EXTRA_ACL is that one will be granted access to the table if
 one has the asked privilege on any column combination of the table; For
 example to be able to check a table one needs to have SELECT privilege on
 any column of the table.

It is used according to the description above, e.g.:

  case SQLCOM_CHECK:
    if (check_table_access(thd, SELECT_ACL | EXTRA_ACL , all_tables, 0))
      goto error; /* purecov: inspected */

Same in SQLCOM_CHECKSUM, and many other places.

In fact EXTRA_ACL grants access to the table if one has *any* privileges on any column
combination - not *asked* privileges.

Either the description or the implementation is wrong.
Ask Monty to be sure.
Take care when fixing the implementation - it'll break de-facto behaviour that MySQL had
for ages.
I failed to find what privileges should apply to CHECK and CHECKSUM in the manual.

How to repeat:
CREATE TABLE t1 (a int, b int);
GRANT INSERT (a) ON test.t1 TO user@localhost;

-- connect as user@localhost
INSERT t1 (a) VALUES (1);
CHECK TABLE t1;

Consequences, commands that require less privileges than intended:

CHECKSUM TABLE
CHECK TABLE
SHOW COLUMNS
SHOW KEYS
SHOW CREATE TABLE
CREATE TABLE ... LIKE

bug#32826 was marked a duplicate of this bug

After discussion with Monty: we'll fix it by making EXTRA_ACL behave as documented. To
preserve the old de-facto behavior we'll use TABLE_ACL | EXTRA_ACL instead SELECT_ACL |
EXTRA_ACL for those statements where we want to preserve it.

I think that for CHECK TABLE we can preserve the old behavior (any privilege is
sufficient), for other statements we will preserve the intended behavior (SELECT privilege
is required).

The manual need to list explicitly the required privileges for all the affected
statements.

because of inevitable behavior changes, we'll fix it in 5.1+

CREATE TABLE ... LIKE is closest to the standard's
CREATE TABLE ... (LIKE table), where "LIKE table"
is a <like clause>. The requirement for <like clause> is
(SQL:200n Part 2, 11.3 <table definition>, access rules)
"2) If a <like clause> is contained in a <table definition>,
then the applicable privileges for A shall include
SELECT privilege on the table identified in the <like clause>."

SHOW COLUMNS is closest to the standard's
SELECT ... FROM INFORMATION_SCHEMA.COLUMNS.
The requirement for selecting from the COLUMNS view is
(SQL:200n Part 11, 5.21 COLUMNS view)
"WHERE ( C.TABLE_CATALOG, C.TABLE_SCHEMA, C.TABLE_NAME, C.COLUMN_NAME ) IN
( SELECT CP.TABLE_CATALOG, CP.TABLE_SCHEMA, CP.TABLE_NAME, CP.COLUMN_NAME
FROM DEFINITION_SCHEMA.COLUMN_PRIVILEGES AS CP
WHERE ( CP.GRANTEE IN
( 'PUBLIC', CURRENT_USER )
OR
CP.GRANTEE IN
( SELECT ROLE_NAME
FROM ENABLED_ROLES ) ) )"

In other words, in standard SQL, CREATE TABLE ... LIKE
requires SELECT, while SHOW COLUMNS requires any privilege.

See also
https://intranet.mysql.com/worklog/Server-Sprint/?tid=173
https://intranet.mysql.com/secure/mailarchive/mail.php?folder=104&mail=99596

Update on the conclusions made while working on this:

CREATE TABLE ... LIKE => Requires SELECT on the table.
SHOW COLUMNS => Requires any privileges on any column combination.
 (Note: only columns which actually have privileges are shown.)
CHECK TABLE => Any privilege on any column combination
CHECKSUM => SELECT privileges on the table.
SHOW OPEN TABLES - same as SHOW TABLES which is any privilege on any column combination.

Hence, the need for EXTRA_ACL behaving as "any privilege from a subset of privileges on
any column combination" (= any requested privilege on any column combination) is not
needed.

Further more I argue that using the EXTRA_ACL 'escape channel' adds unnecessary
complexity, and that it should be removed completely.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41570

ChangeSet@1.2681, 2008-02-01 15:44:26+01:00, thek@adventure.(none) +16 -0
  Bug#27145 EXTRA_ACL troubles
  
  The flag EXTRA_ACL is used in conjugation with our access checks, yet it is
  not clear what impact this flag has.
  This is a code clean up which replaces use of EXTRA_ACL with an explicit
  function parameter.
  The patch also fixes privilege checks for:
  - SHOW CREATE TABLE: The new privilege requirement is any privilege on
    the table-level.
  - CHECKSUM TABLE: Requires SELECT on the table level.
  - SHOW CREATE VIEW: Requires SHOW_VIEW and SELECT on the table level
    (just as the manual claims)
  - SHOW INDEX: Requires any privilege on any column combination.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41572

ChangeSet@1.2681, 2008-02-01 16:51:47+01:00, thek@adventure.(none) +16 -0
  Bug#27145 EXTRA_ACL troubles
  
  The flag EXTRA_ACL is used in conjugation with our access checks, yet it is
  not clear what impact this flag has.
  This is a code clean up which replaces use of EXTRA_ACL with an explicit
  function parameter.
  The patch also fixes privilege checks for:
  - SHOW CREATE TABLE: The new privilege requirement is any privilege on
    the table-level.
  - CHECKSUM TABLE: Requires SELECT on the table level.
  - SHOW CREATE VIEW: Requires SHOW_VIEW and SELECT on the table level
    (just as the manual claims)
  - SHOW INDEX: Requires any privilege on any column combination.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43361

ChangeSet@1.2681, 2008-03-04 12:12:17+01:00, thek@adventure.(none) +20 -0
  Bug#27145 EXTRA_ACL troubles
  
  The flag EXTRA_ACL is used in conjugation with our access checks, yet it is
  not clear what impact this flag has.
  This is a code clean up which replaces use of EXTRA_ACL with an explicit
  function parameter.
  The patch also fixes privilege checks for:
  - SHOW CREATE TABLE: The new privilege requirement is any privilege on
    the table-level.
  - CHECKSUM TABLE: Requires SELECT on the table level.
  - SHOW CREATE VIEW: Requires SHOW_VIEW and SELECT on the table level
    (just as the manual claims)
  - SHOW INDEX: Requires any privilege on any column combination.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43400

ChangeSet@1.2681, 2008-03-04 17:26:59+01:00, thek@adventure.(none) +20 -0
  Bug#27145 EXTRA_ACL troubles
  
  The flag EXTRA_ACL is used in conjugation with our access checks, yet it is
  not clear what impact this flag has.
  This is a code clean up which replaces use of EXTRA_ACL with an explicit
  function parameter.
  The patch also fixes privilege checks for:
  - SHOW CREATE TABLE: The new privilege requirement is any privilege on
    the table-level.
  - CHECKSUM TABLE: Requires SELECT on the table level.
  - SHOW CREATE VIEW: Requires SHOW_VIEW and SELECT on the table level
    (just as the manual claims)
  - SHOW INDEX: Requires any privilege on any column combination.

Pushed into 6.0-runtime.

Pushed into 6.0.6-alpha

Noted in 6.0.6 changelog.

Access privileges for several statements are more accurately checked:

CHECK TABLE requires some privilege for the table.
          
CHECKSUM TABLE requires SELECT for the table. 
        
CREATE TABLE ... LIKE requires SELECT for the source table and CREATE
for the destination table. 
          
SHOW COLUMNS displays information only for those columns you have
some privilege for. 
          
SHOW CREATE TABLE requires some privilege for the table (previously
required SELECT). 

SHOW CREATE VIEW requires SHOW VIEW and SELECT for the view. 

SHOW INDEX requires some privilege for any column.

SHOW OPEN TABLES displays only tables for which you have some 
privilege on any table column.