Bug #38052 MEM inappropriately recommends skip-show-database
Submitted: 11 Jul 2008 18:06 Modified: 11 Nov 2008 15:09
Reporter: Dean Ellis
Status: Closed
Category:Monitoring: Advisors/Rules Severity:S3 (Non-critical)
Version:1.x,2.0 OS:Any
Assigned to: Andy Bang Target Version:2.0 next beta
Triage: D3 (Medium) / R2 (Low) / E2 (Low)

[11 Jul 2008 18:06] Dean Ellis 
Description:
MEM alert, "INFO Alert - Users Can View All Databases On MySQL Server   (v 1.5 *)" from
the Security advisor is simply mistaken.

Default server behavior allows users to see databases on which they have privileges,
*not* "all databases on server".

Using skip-show-database will prevent users from issuing SHOW DATABASES statements unless
they have the "SHOW DATABASE" privilege, which *then would* allow the user to see all
databases on the server.

How to repeat:
Hopefully obvious.

Suggested fix:
This should simply be removed.  It's a wrong recommendation.  "SHOW DATABASE" has been
sane since MySQL 4.0.2.
[11 Jul 2008 18:08] Mark Leith 
Verified as described.
[30 Jul 2008 1:10] Andy Bang 
How about if we limit it to only fire for MySQL servers before 4.0.2?
[14 Oct 2008 0:31] Andy Bang 
In 1.3: Committed revision 9211.

In 2.0: Pushed up to revision 228.
[15 Oct 2008 16:29] Keith Russell 
Patch applied in versions => 2.0.0.7076.
[15 Oct 2008 17:39] Keith Russell 
Patch applies to versions _> 1.3.0.9213.
[23 Oct 2008 2:13] Bill Weber 
fixed in Advisor bundles 1.3.0.9217 and 2.0.0.7083
[11 Nov 2008 15:09] Tony Bedford 
An entry was added to the 1.3 and 2.0 changelogs:

The MySQL Enterprise Monitor alert “INFO Alert - Users Can View All Databases On MySQL
Server (v 1.5 *)” from the Security advisor was incorrect. This is because the default
server behavior allows users to see databases for which they have privileges, not “all
databases on server” as suggested by the alert.