Bug #70114 MySQL Permissions - Renaming a TEMPORARY table requires DROP privilege
Submitted: 22 Aug 2013 1:38 Modified: 22 Aug 2013 8:18
Reporter: Josh Engman Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.1.61, 5.1.71, 5.5.33, 5.6.13, 5.7.2-m12 OS:Any
Assigned to: CPU Architecture:Any
Tags: permission mysql drop temporary

[22 Aug 2013 1:38] Josh Engman 
Description:
MySQL requires that you have DROP privilege on a database in order to rename a temporary table.  This seems like a bug to me, since you can simply create a new temporary table with the desired name and copy the data to the new table.

How to repeat:
CREATE DATABASE Sandbox;
CREATE USER 'bugtest'@'localhost' IDENTIFIED BY 'bug';
GRANT CREATE TEMPORARY TABLES, ALTER, SELECT ON Sandbox.* TO bugtest'@'localhost';
CREATE TEMPORARY TABLE test (id int);
ALTER TABLE test RENAME TO test2;

> ERROR 1142 (42000): DROP command denied to user 'bugtest'@'localhost' for table 'test'

Suggested fix:
DROP permission should not be necessary for handling TEMPORARY tables as they are connection specific.
[22 Aug 2013 2:25] Josh Engman 
I forgot to mention that the main reason I feel this is a bug (and does not fall under the umbrella of TEMPORARY tables requiring permission on the underlying table) is that MySQL specifically returns an error that the "DROP" permission is required, but you don't need the DROP permission to DROP a TEMPORARY table.

So I can 
CREATE TEMPORARY TABLE test1(id int);
DROP TEMPORARY TABLE test1;

without issue.
[22 Aug 2013 8:18] MySQL Verification Team 
Hello Josh, 

Thank you for the bug report.
Verified as described.

Thanks,
Umesh