Bug #22527 | User allowed to GRANT privileges without the WITH GRANT OPTION privilege | ||
---|---|---|---|
Submitted: | 20 Sep 2006 17:34 | Modified: | 20 Sep 2006 18:10 |
Reporter: | Tobias Asplund | Email Updates: | |
Status: | Not a Bug | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S2 (Serious) |
Version: | 5.0.24a | OS: | Max OS X |
Assigned to: | CPU Architecture: | Any |
[20 Sep 2006 17:34]
Tobias Asplund
[20 Sep 2006 18:10]
Sveta Smirnova
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on how to report a bug at http://bugs.mysql.com/how-to-report.php Below is quote from http://dev.mysql.com/doc/refman/5.0/en/grant.html: Be aware that when you grant a user the GRANT OPTION privilege at a particular privilege level, any privileges the user possesses (or may be given in the future) at that level can also be granted by that user to other users. Suppose that you grant a user the INSERT privilege on a database. If you then grant the SELECT privilege on the database and specify WITH GRANT OPTION, that user can give to other users not only the SELECT privilege, but also INSERT. If you then grant the UPDATE privilege to the user on the database, the user can grant INSERT, SELECT, and UPDATE.
[20 Sep 2006 18:31]
Tobias Asplund
If you look at my example you will see that it is not what the manual explains. I grant WITH GRANT OPTION on a database level, but it allows me to grant on a table level.
[23 Mar 2010 7:50]
Roel Van de Paar
The above analysis is correct. A clarification: mysql> GRANT INSERT ON world.country to w2@localhost; ERROR 1142 (42000): INSERT command denied to user 'w3'@'localhost' for table 'country' The INSERT GRANT does not work since the table is different from the INSERT privilege the original user had. mysql> GRANT INSERT ON world.city to w2@localhost; Query OK, 0 rows affected (0.03 sec) The INSERT GRANT does work since the user has the 'GRANT OPTION' and an INSERT privilege to this table. As such, the GRANT OPTION also includes (as per the manual) the right to GRANT the INSERT privilege to other users at this level (a specific table name).