Bug #12638 Bypassing user rights on creating databases with test_ as starting word
Submitted: 18 Aug 2005 10:52 Modified: 18 Aug 2005 16:12
Reporter: Mikhail Yakovlev Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:4.0.x, 4.1.x,5.0.x OS:Any (all)
Assigned to: CPU Architecture:Any

[18 Aug 2005 10:52] Mikhail Yakovlev 
Description:
Users can create databases with names like test_something, test_etcetc, in other words anything starting with test_  without global rights to do that. It means users can bypass security mechanisms and fill databases with any data they like.

How to repeat:
Simply login as user and create any database with name test_something

Suggested fix:
Must be a bug.
[18 Aug 2005 10:55] Mikhail Yakovlev 
mysql> create database something;
ERROR 1044: Access denied for user: 'testing@localhost' to database 'something'

mysql> create database test_something; 
Query OK, 1 row affected (0.00 sec)
[18 Aug 2005 12:59] MySQL Verification Team 
Thank you for the bug report.

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 4.0.26-debug-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database something;
ERROR 1044: Access denied for user: 'testuser@localhost' to database 'something'

mysql> create database test_something; 
Query OK, 1 row affected (0.01 sec)

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 4.1.14-debug-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database something;
ERROR 1044 (42000): Access denied for user 'testuser'@'localhost' to database 'something'
mysql> create database test_something; 
Query OK, 1 row affected (0.00 sec)

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.12-beta-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database something;
ERROR 1044 (42000): Access denied for user 'testuser'@'localhost' to database 'something'
mysql> create database test_something; 
Query OK, 1 row affected (0.00 sec)
[18 Aug 2005 16:12] MySQL Verification Team 
This behavior is by design and docuemented in the Manual:

The mysql_install_db script creates the data directory, the mysql database that holds all database privileges, and the test database that you can use to test MySQL. The script also creates privilege table entries for root accounts and anonymous-user accounts. The accounts have no passwords initially. A description of their initial privileges is given in Section 2.9.3, “Securing the Initial MySQL Accounts”. Briefly, these privileges allow the MySQL root user to do anything, and allow anybody to create or use databases with a name of test or starting with test_.