Bug #343 mysqld never uses the REPLICATION CLIENT privilege
Submitted: 29 Apr 2003 7:24 Modified: 5 Nov 2003 14:46
Reporter: Guilhem Bichot Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Replication Severity:S3 (Non-critical)
Version:4.0 OS:Any (all)
Assigned to: Guilhem Bichot CPU Architecture:Any

[29 Apr 2003 7:24] Guilhem Bichot 
Description:
The manual says :
REPLICATION CLIENT 	 Gives the right to the user to ask where the slaves/masters are.
REPLICATION SLAVE 	Needed for the replication slaves (to read binlogs from master).

But currently
SHOW NEW MASTER needs REPLICATION SLAVE
SHOW SLAVE HOSTS idem
SHOW BINLOG EVENTS idem
SHOW SLAVE STATUS needs SUPER
SHOW MASTER STATUS needs SUPER
And no command needs REPLICATION CLIENT (it's an unused privilege).

Probably some cut-paste error in code?

I propose to change this in 4.1.1 :
all these commands should require REPLICATION CLIENT and only this privilege.
And REPLICATION SLAVE should be reserved for the slave to ask the master his binlogs.

How to repeat:
Create a user
GRANT REPLICATION CLIENT to a@localhost;

login as 'a' and do SHOW SLAVE STATUS.
[29 Apr 2003 7:33] Guilhem Bichot 
Or rather SHOW BINLOG EVENTS should require REPLICATION SLAVE,
because doing this command reads the binlog.
[29 Apr 2003 14:16] Guilhem Bichot 
- SHOW NEW MASTER needs REPLICATION SLAVE because it reads the slave's binlogs.
- SHOW SLAVE HOSTS should need REPLICATION CLIENT (as it's just asking for info), but the slave sends this command when it connects to the master, and we say the slave user must be given REPLICATION SLAVE, so it's understandable why
REPLICATION SLAVE is required.
- SHOW BINLOG EVENTS needs REPLICATION SLAVE, this is normal as it's reading binlogs.

Still:
- SHOW SLAVE STATUS needs SUPER and should instead need REPLICATION CLIENT,
because it's just information and that's the purpose of this privilege.
- SHOW MASTER STATUS idem.
I will now send a patch.
[13 May 2003 14:19] Guilhem Bichot 
Thank you for your bug report. This issue has been fixed in the latest
development tree for that product. You can find more information about
accessing our development trees at 
    http://www.mysql.com/doc/en/Installing_source_tree.html

Fixed in 4.0.13 (csets 1.1485 1.1481.3.1)
[5 Nov 2003 14:11] Rick James 
It seems unreasonable that SHOW PROCESSLIST and KILL should be covered by the same privilege.  One is readonly (albeit snoopy); the other is destructive.
[5 Nov 2003 14:46] Guilhem Bichot 
Hi,

SHOW PROCESSLIST and KILL do require different privileges. Our manual says
"You can always display or kill your own threads, but you need the PROCESS privilege to display and SUPER privilege to kill threads initiated by other users."
at http://www.mysql.com/doc/en/Privileges_provided.html

Regards,
Guilhem
[18 Oct 2005 19:43] Heloisa Gemin 
Hi,

I'm trying to use this privilege "Replication Client" on MySQL 4.1.14-Max-log, and I still have this message error: "ERROR 1227: Access denied; you need SUPER, REPLICATION CLIENT privilege for this operation". I'm trying to issue a SHOW SLAVE STATUS, but I have only REPLICATION CLIENT privilege. I saw that you send would do a patch for this problem. Could you let me know in wich version it was done?

Thanks.
[18 Oct 2005 19:50] Heloisa Gemin 
Hi,

the privilege is working correctly, the problem was that my client was opened when I changed the privilege schema.

Thanks and sorry.