Bug #45713 Priviliges needed to view SHOW GLOBAL VARIABLES not specified
Submitted: 24 Jun 2009 15:36 Modified: 26 Jun 2009 17:38
Reporter: Roger David Nay Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S4 (Feature request)
Version:Any OS:Any
Assigned to: Paul DuBois CPU Architecture:Any

[24 Jun 2009 15:36] Roger David Nay
Description:
It appears that anyone can see both LOCAL and GLOBAL variables and simple USAGE privilege is enough to see this. This does not appear anywhere in the manual.

How to repeat:
Create a user with just USAGE privileges and issue a SHOW GLOBAL VARIABLES.

Suggested fix:
I'd like to request that you explicitly mention that if you can access the server then you can access the SHOW VARIABLE information both for LOCAL variables and GLOBAL variables.
[24 Jun 2009 17:38] Valeriy Kravchuk
Thank you for the feature request. I think http://dev.mysql.com/doc/refman/5.1/en/show-variables.html and corresponding manual pages for other versions should really mention that only USAGE privilege is needed to execute SHOW GLOBAL VARIABLES (and SHOW GLOBAL STATUS).
[26 Jun 2009 17:32] Paul DuBois
Strictly speaking, these statements do not require the USAGE "privilege" because there is no such privilege. USAGE is a designator for "no privileges." So the statements do not require any particular privilege, only the ability to connect to the server.
[26 Jun 2009 17:38] Paul DuBois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.