Bug #39779 Be able to see results of GRANT with minimal permissions
Submitted: 1 Oct 2008 15:31 Modified: 7 Oct 2008 14:22
Reporter: Andrii Nikitin Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version: OS:Any
Assigned to: CPU Architecture:Any

[1 Oct 2008 15:31] Andrii Nikitin 
Description:
Users created using WITH GRANT OPTION cannot see results of their work with minimal permissions. 

I.e. if user is able to give permissions for columns of TABLE1, there is no easy way for them to see which permissions currently granted for that table: if they are granted SELECT access to table mysql.columns_priv they will see permissions for ALL tables, not just TABLE1.*

As workaround root user may create a view 
SELECT * FROM mysql.columns_priv WHERE table_name='TABLE1'
and it will solve the problem, but this brings a lot of additional work so users wish to have this feature implemented in core.

This is related to all objects (schema,table,column,routine,...)

I understand that this issue will not be addressed for some time but it is better such feature request to be logged.

How to repeat:
see description

Suggested fix:
INFORMATION_SCHEMA.%_PRIVILEGES tables also return information about objects which current user has WITH GRANT OPTION privileges for.

(currently it returns only objects which user has permission or all objects if user has select privilege for "mysql" database)

E.g. if user has WITH GRANT OPTION privilege for table TABLE1

select * from INFORMATION_SCHEMA.columns_priv

should return all rows WHERE TABLE_NAME='TABLE1' (and TABLE_SCHEMA=...)
[7 Oct 2008 14:22] Sergei Golubchik 
We won't do it. There's no reason why GRANT OPTION should allow a user to see others' privileges.
[7 Oct 2008 15:55] Simon Mudd 
You seem to have hidden my previous comment.

You say that you won't allow a user to see other user's grants. That's fair enough but it's very inconvenient that current MySQL grants may allow you to grant or revoke (I assume) rights but then not be able to verify those grants.

That is very painful for the user provided WITH GRANT OPTION who has no access to the "system" mysql database. The solution provided by MySQL support (provide SELECT access to the whole mysql database) is for me very uncomfortable from a security perspective as it completely opens the access to the server, and this may not be appropriate.

So my basic comment is the MySQL grants need some work if you want them to be convenient and secure.
[7 Oct 2008 15:55] Andrii Nikitin 
It shouldn't. But that sometimes is desirable.
It was request to simplify work for Administrator who wants to allow users see what they can GRANT and REVOKE (and only that - do not let them see all permissions for all databases). 
I agree that it is not highest priority, just want proper argumentation.
[7 Oct 2008 16:06] Sergei Golubchik 
Simon, I haven't hidden your previous comment - you made it in a different bug report.

As for SELECT access to the whole mysql database - you're right, it's for the DBA, not for a user, thus it's not fine-grained.