Bug #61623 with grant option not act as document says
Submitted: 24 Jun 2011 2:17 Modified: 9 Jul 2011 11:36
Reporter: h ch Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S1 (Critical)
Version:5.0.77 ,5.1.50 OS:Linux (CentOS5)
Assigned to: CPU Architecture:Any
Tags: grant, privileges

[24 Jun 2011 2:17] h ch
Description:
i check the document ,find the function of with grant option can grant privileges which the user has not own to anyone.that is too dangerous´╝ü

How to repeat:
two accout for test

root > show grants for 'test1'@'localhost' ;
+--------------------------------------------------------------------------------------------------------------+
| Grants for test1@localhost                                                                                   |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test1'@'localhost' IDENTIFIED BY PASSWORD '*06C0BF5B64ECE2F648B5F048A71903906BA08E5C' |
+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

root > show grants for 'test2'@'localhost' ;
+--------------------------------------------------------------------------------------------------------------+
| Grants for test2@localhost                                                                                   |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test2'@'localhost' IDENTIFIED BY PASSWORD '*7CEB3FDE5F7A9C4CE5FBE610D7D8EDA62EBE5F4E' |
+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

root > grant select on test.computer to 'test1'@'localhost' with grant option;
Query OK, 0 rows affected (0.00 sec)

root > show grants for 'test1'@'localhost' ;
+--------------------------------------------------------------------------------------------------------------+
| Grants for test1@localhost                                                                                   |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test1'@'localhost' IDENTIFIED BY PASSWORD '*06C0BF5B64ECE2F648B5F048A71903906BA08E5C' |
| GRANT SELECT ON `test`.`computer` TO 'test1'@'localhost' WITH GRANT OPTION                                   |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

login use test1

test1 > grant update on test.computer to 'test2'@'localhost';
Query OK, 0 rows affected (0.00 sec)

that's very bad !!

test1 > grant update on test.eugene to 'test2'@'localhost';
ERROR 1142 (42000): GRANT command denied to user 'test1'@'localhost' for table 'eugene'

that's ok 

login use test2

test2 > show grants;
+--------------------------------------------------------------------------------------------------------------+
| Grants for test2@localhost                                                                                   |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test2'@'localhost' IDENTIFIED BY PASSWORD '*7CEB3FDE5F7A9C4CE5FBE610D7D8EDA62EBE5F4E' |
| GRANT UPDATE ON `test`.`computer` TO 'test2'@'localhost'                                                     |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

user test1 have no update privilege on table test.computer,but because it has with grant option privilege ,it can grant update to user test2

and here is the definition of grant option on mysql document

The GRANT OPTION privilege enables you to give to other users or remove from other users those privileges that you yourself possess

i have not test this on MySQL 5.5 , 5.6
[9 Jul 2011 11:36] Sveta Smirnova
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

Please read at http://dev.mysql.com/doc/refman/5.0/en/grant.html:

Be aware that when you grant a user the GRANT OPTION privilege at a particular privilege
level, any privileges the user possesses (or may be given in the future) at that level can
also be granted by that user to other users. Suppose that you grant a user the INSERT
privilege on a database. If you then grant the SELECT privilege on the database and
specify WITH GRANT OPTION, that user can give to other users not only the SELECT 
privilege, but also INSERT. If you then grant the UPDATE privilege to the user on the
database, the user can grant INSERT, SELECT, and UPDATE.

Your case is a bit different, but still can be explained by this:

root > show grants for 'test1'@'localhost' ;
+--------------------------------------------------------------------------------------------------------------+
| Grants for test1@localhost                                                             
                     |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test1'@'localhost' IDENTIFIED BY PASSWORD
'*06C0BF5B64ECE2F648B5F048A71903906BA08E5C' |
| GRANT SELECT ON `test`.`computer` TO 'test1'@'localhost' WITH GRANT OPTION             
                     |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

So test1 can grant privileges on test.* (database level) and test.computer (particular table it has privileges on), not other particular tables.