Bug #32826 Privileges: I can CREATE ... LIKE without SELECT privilege
Submitted: 28 Nov 2007 19:58 Modified: 30 Nov 2007 15:58
Reporter: Peter Gulutzan Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:6.0.4-alpha-debug OS:Any
Assigned to: CPU Architecture:Any

[28 Nov 2007 19:58] Peter Gulutzan 
Description:
The MySQL Reference Manual
http://dev.mysql.com/doc/refman/6.0/en/create-table.html
says, re CREATE TABLE ... (LIKE old_table_name):
"The SELECT  privilege is required on the original table."
That is standard.

But MySQL allows me to create with INSERT privilege
instead of SELECT privilege.

How to repeat:
As user root, say:

CREATE DATABASE dd;
USE dd
CREATE TABLE d_1 (s1 INT);
GRANT INSERT ON d_1 TO joe@localhost;

As user joe@localhost, say:

USE dd
CREATE TABLE test.d_1 (LIKE d_1);
[28 Nov 2007 20:28] Valeriy Kravchuk 
Thank you for a problem report. Verified just as described.
[30 Nov 2007 11:03] Sergei Golubchik 
This is a consequence of the bug#27145
[30 Nov 2007 11:09] Dmitry Lenev 
Just to clarify. CREATE TABLE ... LIKE requires the same privileges as SHOW CREATE TABLE and this is intended behavior. Unfortunately privilege check used in both these statements is affected by the bug mentioned above.