Bug #32710 SHOW INNODB STATUS requires SUPER
Submitted: 26 Nov 2007 10:24 Modified: 11 Feb 2008 20:41
Reporter: Sergei Golubchik Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.1 OS:Any
Assigned to: Davi Arnaut CPU Architecture:Any

[26 Nov 2007 10:24] Sergei Golubchik
Description:
SHOW INNODB STATUS requires SUPER privilege. It should require PROCESS.
SUPER is a super-privilege that allows one to take over the server completely, do absolutely anything. PROCESS is the monitoring privilege, used by SHOW commands, like SHOW PROCESSLIST.

How to repeat:
  case SQLCOM_SHOW_ENGINE_STATUS:
    {
      if (check_global_access(thd, SUPER_ACL))
[30 Nov 2007 13:47] Peter Laursen
same seems to apply to "SHOW MUTEX STATUS"

show mutex status;
-- Error Code : 1227
-- Access denied; you need the SUPER privilege for this operation

show grants for 'mutex'@'localhost';
-- GRANT PROCESS ON *.* TO 'mutex'@'localhost'
[27 Dec 2007 20:44] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/40439

ChangeSet@1.2654, 2007-12-27 15:43:51-05:00, dkatz@damien-katzs-computer.local +3 -0
  Bug #32710: SHOW INNODB STATUS requires SUPER
  
  Changed "SHOW ENGINE ... STATUS" and "SHOW ENGINE ... MUTEX" to require the PROCESS permission, instead of SUPER.
[28 Dec 2007 9:06] Domas Mituzas
the fix should not disallow SUPER access, for backwards compatibility?
[5 Feb 2008 12:04] Konstantin Osipov
Davi, please consider taking over this bug.
[6 Feb 2008 13:20] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41775

ChangeSet@1.2520, 2008-02-06 11:20:15-02:00, davi@mysql.com +3 -0
  Bug#32710: SHOW INNODB STATUS requires SUPER
  
  Changed "SHOW ENGINE ... STATUS" and "SHOW ENGINE ... MUTEX"
  to require the PROCESS privilege, instead of SUPER.
  
  Fixed by Damien Katz
[6 Feb 2008 13:22] Davi Arnaut
Pushed in 5.1-runtime
[11 Feb 2008 16:23] Bugs System
Pushed into 5.1.24-rc
[11 Feb 2008 16:26] Bugs System
Pushed into 6.0.5-alpha
[11 Feb 2008 20:41] Paul Dubois
Noted in 5.1.24, 6.0.5 changelogs.

The SHOW ENGINE INNODB STATUS and SHOW ENGINE INNODB MUTEX statements
incorrectly required the SUPER privilege rather than the PROCESS
privilege.
[6 Mar 2008 13:44] Jon Stephens
Also documented for 5.1.23-ndb-6.2.14.
[31 Mar 2008 19:25] Jon Stephens
Also noted in 5.1.23-ndb-6.3.11 changelog.
[12 Nov 2008 1:28] Oleg Chebotarev
Shouldn't it be pushed to 5.0?
Oleg&Max Chebotarev
[27 Feb 2009 22:38] Narayan Newton
This is extremely annoying and would be a nice backport to 5.0. 

Having to grant super to a user that should be a straight r/o user for automated monitoring is a huge security concern for us and our clients.

-N