Bug #22527 User allowed to GRANT privileges without the WITH GRANT OPTION privilege
Submitted: 20 Sep 2006 17:34 Modified: 20 Sep 2006 18:10
Reporter: Tobias Asplund Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:5.0.24a OS:Max OS X
Assigned to: CPU Architecture:Any

[20 Sep 2006 17:34] Tobias Asplund 
Description:
User is allowed to give grants to other users despite not having WITH GRANT OPTION given for this privilege:

root@localhost:(none)> CREATE USER w3@localhost;
Query OK, 0 rows affected (0.01 sec)

root@localhost:(none)> GRANT SELECT ON world.* TO w3@localhost;
Query OK, 0 rows affected (0.00 sec)

root@localhost:(none)> GRANT SELECT ON world.* TO w3@localhost WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)

root@localhost:(none)> GRANT INSERT ON world.City TO w3@localhost;
Query OK, 0 rows affected (0.00 sec)

root@localhost:(none)> exit
Bye
flupps:~ flupps$ mysql -u w3
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 113 to server version: 5.0.24a-max-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

w3@localhost:(none)> GRANT INSERT ON world.City to w2@localhost;
Query OK, 0 rows affected (0.00 sec)

w3@localhost:(none)> SHOW GRANTS;
+-----------------------------------------------------------------+
| Grants for w3@localhost                                         |
+-----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'w3'@'localhost'                          | 
| GRANT SELECT ON `world`.* TO 'w3'@'localhost' WITH GRANT OPTION | 
| GRANT INSERT ON `world`.`city` TO 'w3'@'localhost'              | 
+-----------------------------------------------------------------+
3 rows in set (0.00 sec)

w3@localhost:(none)>

How to repeat:
(Using the world database from the documentation pages)

CREATE USER w3@localhost;

GRANT SELECT ON world.* TO w3@localhost WITH GRANT OPTION;

GRANT INSERT ON world.City TO w3@localhost;

exit

mysql -u w3

GRANT INSERT ON world.City to w2@localhost;

SHOW GRANTS;
[20 Sep 2006 18:10] Sveta Smirnova 
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

Below is quote from http://dev.mysql.com/doc/refman/5.0/en/grant.html:

 Be aware that when you grant a user the GRANT OPTION privilege at a particular privilege level, any privileges the user possesses (or may be given in the future) at that level can also be granted by that user to other users. Suppose that you grant a user the INSERT privilege on a database. If you then grant the SELECT privilege on the database and specify WITH GRANT OPTION, that user can give to other users not only the SELECT  privilege, but also INSERT. If you then grant the UPDATE privilege to the user on the database, the user can grant INSERT, SELECT, and UPDATE.
[20 Sep 2006 18:31] Tobias Asplund 
If you look at my example you will see that it is not what the manual explains.

I grant WITH GRANT OPTION on a database level, but it allows me to grant on a table level.
[23 Mar 2010 7:50] Roel Van de Paar 
The above analysis is correct. A clarification:

mysql> GRANT INSERT ON world.country to w2@localhost;
ERROR 1142 (42000): INSERT command denied to user 'w3'@'localhost' for table 'country'

The INSERT GRANT does not work since the table is different from the INSERT privilege the original user had.

mysql> GRANT INSERT ON world.city to w2@localhost;
Query OK, 0 rows affected (0.03 sec)

The INSERT GRANT does work since the user has the 'GRANT OPTION' and an INSERT privilege to this table. As such, the GRANT OPTION also includes (as per the manual) the right to GRANT the INSERT privilege to other users at this level (a specific table name).