Bug #49346 | Privilege on routines gives access to SHOW CREATE TABLE | ||
---|---|---|---|
Submitted: | 2 Dec 2009 12:57 | Modified: | 14 Dec 2009 18:24 |
Reporter: | Vemund Østgaard | Email Updates: | |
Status: | Not a Bug | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 5.5.0, mysql-next-mr | OS: | Any |
Assigned to: | Kristofer Pettersson | CPU Architecture: | Any |
[2 Dec 2009 12:57]
Vemund Østgaard
[3 Dec 2009 8:10]
Sveta Smirnova
Thank you for the report. Verified as described. Version 5.1 is not affected. Test case to repeat the problem: create database db1; use db1; create table t1(f1 int); GRANT ALTER ROUTINE ON *.* TO 'testuser'@'localhost' WITH GRANT OPTION; connect (addconroot, localhost, testuser,,); connection addconroot; use db1; show create table t1; show tables;
[7 Dec 2009 7:46]
Kristofer Pettersson
thoughts: 'WITH GRANT OPTION' should apply to all objects in this case. The GRANT privilege is part of the requirement for SHOW CREATE TABLE, and anyone with this privilege is able to execute the statement. Maybe it isn't a bug after all?
[7 Dec 2009 20:28]
Kristofer Pettersson
PeterG says GRANT OPTION should not be part of the requirements list for SHOW CREATE TABLE. Grabbing this.
[14 Dec 2009 18:45]
Peter Laursen
But 5.1 and 5.5 are inconsistent in this respect I understand!? Is this difference documented (at least) ? This closure is a bureaucratic gesture and sheer laziness simply!
[14 Dec 2009 19:12]
Alexander Nozdrin
GRANT OPTION is a table privilege (because of documentation and because it can be granted on a table). So if a user has GRANT OPTION on all objects in a database, that privilege is applicable to tables, and therefore SHOW CREATE TABLE is possible.