Bug #62664 update privilege consist of show databases privilege
Submitted: 10 Oct 2011 6:01 Modified: 10 Oct 2011 8:14
Reporter: h ch Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.0,5.1 OS:Any
Assigned to: CPU Architecture:Any
Tags: show databases privilege, update privilege

[10 Oct 2011 6:01] h ch 
Description:
if update privilege is granted to user,the user also can see schema use 'show schema'.i think that's a duplicate privilege

How to repeat:
mysql> create user 'test';
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'test';
+----------------------------------+
| Grants for test@%                |
+----------------------------------+
| GRANT USAGE ON *.* TO 'test'@'%' |
+----------------------------------+

# mysql -utest
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 304142
Server version: 5.0.77-log Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show schemas;
+--------------------+
| Database           |
+--------------------+
| information_schema |
+--------------------+
==============
now grant update to user,see what happen

mysql> grant update on *.* to 'test';
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'test';
+-----------------------------------+
| Grants for test@%                 |
+-----------------------------------+
| GRANT UPDATE ON *.* TO 'test'@'%' |
+-----------------------------------+

user test reconnect MySQL

# mysql -utest
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 304544
Server version: 5.0.77-log Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show schemas;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| test               |
+--------------------+
8 rows in set (0.00 sec)

and i also see this problem on MySQL 5.1.50
[10 Oct 2011 8:14] Valeriy Kravchuk 
You had granted UPDATE on *.*, that is, global, on any table in any database. Now, read the manual, http://dev.mysql.com/doc/refman/5.5/en/privileges-provided.html#priv_show-databases:

"The SHOW DATABASES privilege enables the account to see database names by issuing the SHOW DATABASE statement. Accounts that do not have this privilege see only databases for which they have some privileges, and cannot use the statement at all if the server was started with the --skip-show-database option. Note that any global privilege is a privilege for the database."

So, you see databases for which you have UPDATE privilege (all of them, that is). This is not a bug.