Bug #75118 Misleading error message when WITH GRANT OPTION privilege is missing
Submitted: 5 Dec 2014 16:28 Modified: 9 Dec 2014 20:08
Reporter: Oli Sennhauser Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.6, 5.5.42, 5.6.23, 5.7.6 OS:Linux (n.a.)
Assigned to: CPU Architecture:Any
Tags: create user, error message, grant option

[5 Dec 2014 16:28] Oli Sennhauser 
Description:
We wanted to create a new user with our admin user as follows and got a completely confusing and misleading error message:

shell> mysql --user=dba --password=dbasecret
mysql> GRANT ALL PRIVILEGES ON *.* TO 'service_manager'@'localhost' IDENTIFIED BY 'secret';
ERROR 1045 (28000): Access denied for user 'dba'@'localhost' (using password: YES)

How to repeat:
shell> mysql --user=root
mysql> GRANT ALL PRIVILEGES ON *.* TO 'dba'@'localhost' IDENTIFIED BY 'dbasecret';
mysql> exit

shell> mysql --user=dba --password=dbasecret
mysql> GRANT ALL PRIVILEGES ON *.* TO 'service_manager'@'localhost' IDENTIFIED BY 'secret';
ERROR 1045 (28000): Access denied for user 'dba'@'localhost' (using password: YES)
dba@localhost [(none)]> exit

shell> mysql --user=root
mysql> GRANT ALL PRIVILEGES ON *.* TO 'service_manager'@'localhost' IDENTIFIED BY 'secret';

this happened with MySQL 5.6.17 and 5.6.22

It is clear to us, that the dba user is lacking the WITH GRANT OPTION privilege which is needed to create a new user.

Suggested fix:
We expect an error message indicating that the WITH GRANT OPTION privilege is missing or at least that the user does not have the rights to create an other user...
[9 Dec 2014 20:08] Sveta Smirnova 
Thank you for the reasonable feature request.