Bug #1134 As new privileges are added in 4.x, already solved problem have arose again
Submitted: 25 Aug 2003 9:36 Modified: 27 Aug 2003 10:56
Reporter: Josip Deanovic Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.0.14 OS:Any (All)
Assigned to: Sinisa Milivojevic CPU Architecture:Any

[25 Aug 2003 9:36] Josip Deanovic
Description:
In mysql 3.x, if safe-show-database is entered in my.cnf, by issuing
'show databases' command, users will normally see only their own databases.
But if some of the privileges in user table (for example 'File_priv'),
are added to some user, he will be able to list all databases on the server.

With mysql 4.x there are new privileges added to the MySQL tables and already
mentioned problem seems to be corrected with old privileges but not with the
new privileges like: Super_priv, Create_tmp_table_priv, Lock_tables_priv,
Execute_priv, Repl_slave_priv (in the user table).
This results with unprivileged users (those that does not have Show_db_priv)
became able to see all databases by issuing 'show databases' command in case
where he have some of the new privileges set (e.g. Lock_tables_priv).

It is not problem to aplay a patch every time and recompile the mysql but it
will be more convenient if this would bee solved in the next release of mysql.

How to repeat:
Well, create user 'a' with database 'a' and user 'b' with database 'b'.
Then add privilege 'Lock_tables_priv' and remove privilege 'Show_db_priv'
(both in user table) to users 'a' and 'b'.
Now, if you login as user 'a' or 'b', after issuing 'show databases' command,
you will list all the databases instead of only one.

Suggested fix:
Similar problem is already fixed with old privileges in user table but
new privileges comes with old problem. To many ACLs are checked in some
IF statement, I beleve.
[27 Aug 2003 5:03] Josip Deanovic
Ok, that is not a bug.

Create_tmp_table_priv and Lock_tables_priv privileges could be set in the db
table instead of user table.
If for example Execute_priv is set in user table, unprivileged user still
will not see databases without proper privileges. So, there is no bug, sorry.

Additional explanation can be found here: http://bugs.mysql.com/bug.php?id=1048
[27 Aug 2003 10:56] Sinisa Milivojevic
As explained by user this is not a bug.