Bug #5470 drop user doesn't drop privileges
Submitted: 8 Sep 2004 13:47 Modified: 26 Jan 2011 18:02
Reporter: [ name withheld ] Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:4.1.4 OS:Linux (linux)
Assigned to: CPU Architecture:Any

[8 Sep 2004 13:47] [ name withheld ]
Description:
"drop user" does not revoke privileges

How to repeat:
try dropping a user still having privileges set...

Suggested fix:
- drop user command should always revoke all privileges associated with that user. 
- maybe use an option to keep privileges (but drop by default)
[20 Jan 2011 10:30] Sveta Smirnova
Bug #59609 and bug #36544 were marked as duplicates of this one.
[20 Jan 2011 15:51] Guilhem Bichot
I question the category "feature request". REVOKE takes effect immediately, I can't see why DROP USER (which logically should be a stronger version of REVOKE) does not. And BUG#59609 explains how a new user can get the privileges of an old, dropped user, which sounds like a real bug, on the verge of security ones...
[26 Jan 2011 18:02] Dmitry Lenev
Hello Sveta!

Original problem which is described in this report was solved in 5.0 version of server. I.e. starting from 5.0.2 DROP USER removes both account and privileges of user in general case. See http://dev.mysql.com/doc/refman/5.0/en/drop-user.html. 

Unfortunately due to bugs this doesn't happen in a few cases which are described in bug #59609 and bug #36544. But these are separate issues which are going to be fixed and tracked separately.

I am closing this feature request since the thing what was originally requested it was implemented/problem originally reported was solved in 5.0.