Bug #100762 | Grant privileges for user in a database still exist after dropping the database | ||
---|---|---|---|
Submitted: | 7 Sep 2020 20:59 | Modified: | 8 Sep 2020 5:21 |
Reporter: | Justin Levene | Email Updates: | |
Status: | Not a Bug | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 8.0.20 | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | drop database, grant, privileges, user |
[7 Sep 2020 20:59]
Justin Levene
[7 Sep 2020 21:07]
Justin Levene
Added to the Synopsis and tags. This is also a security issue as if an admin drops a database to wipe data, privileges, etc. due to a hack, a vulnerability still exists in that if the hacker gave himself a privilege, it still exists on the new database, even though the old one was deleted.
[8 Sep 2020 5:21]
MySQL Verification Team
Hello Justin Levene, Thank you for the report and feedback. Imho this is documented and expected behavior,Quoting from manual " Important When a database is dropped, privileges granted specifically for the database are not automatically dropped. They must be dropped manually. See Section 13.7.1.6, “GRANT Statement”. ". Please see https://dev.mysql.com/doc/refman/8.0/en/drop-database.html regards, Umesh