Bug #112152 Rename user to ''@'%' cause "Access denied"
Submitted: 23 Aug 2023 7:17 Modified: 23 Aug 2023 12:01
Reporter: Dorsey Wang (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:8.0.34 OS:Any
Assigned to: CPU Architecture:Any
Tags: rename user; access denied

[23 Aug 2023 7:17] Dorsey Wang 
Description:
When I use account A to create a new user B and then rename the user B to ''@'%',
then I can't relogin with account A. 

How to repeat:
1. Use the user with "create user" privilege to create user "beebot_service_pro" and grant privileges to it.

CREATE USER `beebot_service_pro`@`%` identified by '111';

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE ROLE, DROP ROLE ON *.* TO `beebot_service_pro`@`%`;

2. Login with new creating user "beebot_service_pro".
mysql -ubeebot_service_pro -h127.0.1 -P3306 -p111

3. Creating new user via user "beebot_service_pro".
CREATE USER 'userread'@'%' IDENTIFIED WITH 'mysql_native_password';

RENAME USER `userread`@`%` TO ``@`%`;

4. Relogin with user "beebot_service_pro", "Access denied" is returned.
mysql -ubeebot_service_pro -h127.0.1 -P3306 -p111
ERROR 1045 (28000): Access denied for user 'beebot_service_pro'@'127.0.0.1' (using password: YES)

Suggested fix:
In the repeate case, I use account A with the name of `beebot_service_pro`, it can't repeat with user of any name.

When I check the code of login part, I find that in "name_to_userlist", any user with share the same list with the anonymous user, and in this list, they are sorted according to ACL_USER_compare().

In this case, the anonymous user ``@`%` will inherit some attributes from user 'userread'@'%'. As a result, the value of acl_user.sort will not be recalculated for user ``@`%`. After sorting, in the name_to_userlist, user ``@`%` will be in front of user `beebot_service_pro`. So when we relogin with user `beebot_service_pro`, in native_password_authenticate, checking scrambled message corresponds to the password will be failed. 

Although performing "flush privileges;" is decent after rename user, attributes of users will be reloaded and we can relogin success with user 'beebot_service_pro'. We think this bug may cause serious problems since it is possible that client may have not any other user to login and flush privileges.
[23 Aug 2023 12:01] MySQL Verification Team 
Hello Dorsey Wang,

Thank you for the report and feedback.
Verified as described.

regards,
Umesh