Bug #58166 PROXY_PRIV not fully implemented
Submitted: 12 Nov 2010 17:52 Modified: 12 Nov 2010 18:14
Reporter: Peter Laursen (Basic Quality Contributor) Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.5.7 OS:Any
Assigned to: CPU Architecture:Any
Tags: qc

[12 Nov 2010 17:52] Peter Laursen 
Description:
Created wiht reference to http://bugs.mysql.com/bug.php?id=57923

Updated docs says "A special PROXY privilege is needed to enable an external authentication account to connect as another user. To grant it, use the GRANT statement. For example: 
GRANT PROXY ON 'proxied_user' TO 'proxy_user';"

How to repeat:
1)

CREATE USER 'boev'@'%';

GRANT  ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TABLESPACE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DELETE, DROP, EVENT, EXECUTE, FILE, INDEX, INSERT, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SELECT, SHOW DATABASES, SHOW VIEW, SHUTDOWN, SUPER, TRIGGER, UPDATE ON  *.* TO 'boev'@'%' WITH GRANT OPTION;
-- note PROXY not specified

SHOW GRANTS FOR 'boev'@'%';
/* returns
GRANT ALL PRIVILEGES ON *.* TO 'boev'@'%' WITH GRANT OPTION*/

2)

CREATE USER 'buev'@'%';

GRANT  ALL ON  *.* TO 'buev'@'%' WITH GRANT OPTION;

SHOW GRANTS FOR 'boev'@'%';
/* returns
GRANT ALL PRIVILEGES ON *.* TO 'boev'@'%' WITH GRANT OPTION
but */

SELECT * FROM `mysql`.`procs_priv` WHERE USER = 'buev'; -- empty set

Suggested fix:
Maybe intentional that 'ALL' does not include PROXY? I do not think it is consistent.  Also I do not find it documented.
[12 Nov 2010 17:59] Paul DuBois 
http://dev.mysql.com/doc/refman/5.5/en/grant.html

"In GRANT statements, the ALL [PRIVILEGES] or PROXY privilege must be named by itself and cannot be specified along with other privileges. ALL [PRIVILEGES] stands for all privileges available for the level at which privileges are to be granted except for the GRANT OPTION and PROXY privileges."

"When PROXY is granted, it must be the only privilege named in the GRANT statement"

"For the global, database, table, and routine levels, GRANT ALL assigns only the privileges that exist at the level you are granting. For example, GRANT ALL ON db_name.* is a database-level statement, so it does not grant any global-only privileges such as FILE. Granting ALL does not assign the PROXY privilege."
[12 Nov 2010 18:14] Peter Laursen 
Ok .. closing as 'not a bug'.  The implementation is reasonable and documentation as well.