Bug #61623 | with grant option not act as document says | ||
---|---|---|---|
Submitted: | 24 Jun 2011 2:17 | Modified: | 9 Jul 2011 11:36 |
Reporter: | h ch | Email Updates: | |
Status: | Not a Bug | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S1 (Critical) |
Version: | 5.0.77 ,5.1.50 | OS: | Linux (CentOS5) |
Assigned to: | CPU Architecture: | Any | |
Tags: | grant, privileges |
[24 Jun 2011 2:17]
h ch
[9 Jul 2011 11:36]
Sveta Smirnova
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on how to report a bug at http://bugs.mysql.com/how-to-report.php Please read at http://dev.mysql.com/doc/refman/5.0/en/grant.html: Be aware that when you grant a user the GRANT OPTION privilege at a particular privilege level, any privileges the user possesses (or may be given in the future) at that level can also be granted by that user to other users. Suppose that you grant a user the INSERT privilege on a database. If you then grant the SELECT privilege on the database and specify WITH GRANT OPTION, that user can give to other users not only the SELECT privilege, but also INSERT. If you then grant the UPDATE privilege to the user on the database, the user can grant INSERT, SELECT, and UPDATE. Your case is a bit different, but still can be explained by this: root > show grants for 'test1'@'localhost' ; +--------------------------------------------------------------------------------------------------------------+ | Grants for test1@localhost | +--------------------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'test1'@'localhost' IDENTIFIED BY PASSWORD '*06C0BF5B64ECE2F648B5F048A71903906BA08E5C' | | GRANT SELECT ON `test`.`computer` TO 'test1'@'localhost' WITH GRANT OPTION | +--------------------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) So test1 can grant privileges on test.* (database level) and test.computer (particular table it has privileges on), not other particular tables.