Bug #1048 Problem with Show_db_priv privilege
Submitted: 14 Aug 2003 5:05 Modified: 14 Aug 2003 7:00
Reporter: Jani Tolonen Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.0.14 OS:Any (All)
Assigned to: Sinisa Milivojevic CPU Architecture:Any

[14 Aug 2003 5:05] Jani Tolonen
Description:
Setting Create_tmp_table_priv='Y' or Lock_tables_priv='Y' will
allow user to see all database even if it otherwise was not
possible.

How to repeat:
grant usage on test.* to test_user@localhost identified by 'test_user';
update mysql.user set Create_tmp_table_priv='Y' where user='test_user';
flush privileges;

Open another connection to MySQL, this time as user 'test_user'.
Run SHOW DATABASES;

All databases are shown, while they should not be.

Simply toggling the Create_tmp_table_priv between 'N' and 'Y' will
affect whether SHOW DATABASES show all databases or none. None would
be correct. Setting Lock_tables_priv='Y' does the same thing, there
could be other privs that has the same bug, probably server administration
related ones.

Regards,
Jani
[14 Aug 2003 6:39] Sinisa Milivojevic
As an interim result, the following is a proper GRANT:

rant CREATE TEMPORARY TABLES on *.* to test@localhost;
Query OK, 0 rows affected (0.76 sec)
[14 Aug 2003 7:00] Sergei Golubchik
expected behaviour.

User can see all databases that he has any grant on.
If user can create temporary table in any database or lock table in any database - he can see these databases. Same for any global privilege, e.g. select_priv;

Show_db_priv privilege allows to see databases that a user has no grants on.