Bug #6125 Different behaviour by windows account ( admin vs. poweruser )
Submitted: 16 Oct 2004 7:55 Modified: 18 Jul 2006 17:01
Reporter: Jaroslav Uher Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Administrator Severity:S2 (Serious)
Version:1.0.13 OS:Windows (Windows NT SP6)
Assigned to: Michael G. Zinner CPU Architecture:Any
Tags: Generic

[16 Oct 2004 7:55] Jaroslav Uher
Description:
I have MySQL Administrator and MySQL QueryBrowser installed under admin account. For this account all works as well.

When I login under my standard windows account ( power user with rights to manage services ) I see these differences:

in MA:
-'server status' in section 'service control' is greyed out (no service selected)
-in 'server log' section is greyed out error log ( ! slow log is visible ) although they are defined in my.ini and correctly displayed in startup variables
-launching QueryBrowser in 'Tools' is disabled

in MsysTray:
-MySQL SystemTray not found any mysql service (one installed - standard MySQL)
-launching QueryBrowser is disabled

How to repeat:
log in windows as admin
install Administrator & QueryBrowser
log out
log in under user account
start MySQL administrator -> Service Control section is greyed out
[21 Oct 2004 13:39] Michael G. Zinner
MA needs to access the installed services which are not accessable by a "regular" user. This will not fix.

The System Tray Monitor application just needs to read the services. I will check if I can reduce the privileges needed to do only a query of the services.
[1 Feb 2005 11:38] Andreas Reidies
I can reproduce that behaviour and after logging out what kind of registry access the tray monitor does (using the regmon tool from sysinternals) I found that it requires FULL_ACCESS not only to the service node (HKLM\System\CurrentControlSet\Services\MySQL) BUT also to the root of the services node (HKLM\System\CurrentControlSet\Services).

As I understand that FULL_ACCESS to HKLM\System\CurrentControlSet\Services\<MySQL-ServiceName> is REQUIRED, I don't understand the other one. Normally a QUERY_SUBFOLDERS and QUERY_VALUE should have been enough !

A possible solution is:

* create a separate USER-GROUP (e.g. MySQL-Admins) and add your "normal" user account (could be PowerUser or User) to it

* open the registry with administrative rights and add the FULL CONTROL to the reg-key HKLM\System\CurrentControlSet\Services\<MySQL-ServiceName> for this generated group (take into account that regedit will automatically add the access rights for this folder and all subfolders)

* add the FULL CONTROL to the reg-key HKLM\System\CurrentControlSet\Services for your group and take care to give that access right ONLY TO THIS FOLDER (see Advanced options)

* add the FULL CONTROL to the reg-key HKLM\Software\MySQL AB (even here: normal READ ACCESS and ENUM_VALUES should be enough for working within a normal user account)

After LogOff / On again your normal user will have access to the service instance as usual.

To change the instance configuration you will also have write access to the INI file for your MySQL service - take care to allow write and modify rights for group MySQL-Admins for this file also.

Btw: I take a look into the sources for MySQL Admin / Querybrowser but as I didn't own Delphi nor have any experience with Delphi programming / libraries (I use VC++ all the time) I'm unable to add a fix for this - but I hope my description clears up those thing a little bit.....

Best regard
andi
[18 Jul 2006 17:01] Michael G. Zinner
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://www.mysql.com/doc/en/Installing_source_tree.html