Bug #71335 Please explain (or remove) default entry in mysql.proxies_priv
Submitted: 9 Jan 2014 21:58 Modified: 7 Apr 2015 0:34
Reporter: Todd Farmer (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.6.16 OS:Any
Assigned to: Paul DuBois CPU Architecture:Any

[9 Jan 2014 21:58] Todd Farmer 
Description:
The documentation describes the mysql.proxies_priv table as such:

The proxies_priv table indicates which users can act as proxies for other users and whether proxy users can grant the PROXY privilege to other users. 

The default privileges tables shipped with MySQL Server include one row:

mysql> SELECT * FROM proxies_priv\G
*************************** 1. row ***************************
        Host: localhost
        User: root
Proxied_host:
Proxied_user:
  With_grant: 1
     Grantor:
   Timestamp: 2014-01-09 12:35:34
1 row in set (0.01 sec)

I cannot understand this entry.  The root@localhost user account is defined using mysql_native_plugin (which has no proxy user capabilities), and it suggests the root@localhost account can proxy an anonymous user (or an impossible user definition).  Why should this proxy user definition be shipped with the Server?

How to repeat:
SELECT * FROM mysql.proxies_priv;

Suggested fix:
Do not populate this row in default installations (or document why it is needed).
[9 Jan 2014 22:16] Todd Farmer 
In further investigation, it seems that this entry is required in order for root@localhost to issue GRANT PROXY on other user accounts.  That's not readily apparent from the documentation, nor is it entirely clear that blank proxied_host *and* proxied_user columns in this table represent wildcards (assumption here).
[4 Apr 2015 14:08] Paul DuBois 
http://dev.mysql.com/doc/refman/5.5/en/proxy-users.html says:

The root account created by default during MySQL installation has the PROXY ... WITH GRANT OPTION privilege for ''@'', that is, for all users. This enables root to set up proxy users, as well as to delegate to other accounts the authority to set up proxy users. For example, root can do this:

CREATE USER 'admin'@'localhost' IDENTIFIED BY 'test';
GRANT PROXY ON ''@'' TO 'admin'@'localhost' WITH GRANT OPTION;

Now the admin user can manage all the specific GRANT PROXY mappings. For example, admin can do this:

GRANT PROXY ON sally TO joe;

But probably that information should be more widely propagated in the manual. Will check into this.
[7 Apr 2015 0:34] Paul DuBois 
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly.

I've added some explanatory text to these sections:

http://dev.mysql.com/doc/refman/5.7/en/default-privileges.html
http://dev.mysql.com/doc/refman/5.7/en/grant-table-structure.html