Bug #81425 Invalid timestamps are inserted into proxies_priv table
Submitted: 14 May 2016 8:50 Modified: 16 May 2016 4:14
Reporter: monty solomon Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.7.12 OS:CentOS
Assigned to: CPU Architecture:Any

[14 May 2016 8:50] monty solomon
Description:
Entries created in the proxies_priv table use a timestamp of 0000-00-00 00:00:00 when innodb_strict_mode is 1 and sql_mode contains NO_ZERO_IN_DATE,NO_ZERO_DATE.

How to repeat:
set global innodb_strict_mode = 1;

set global sql_mode = "ONLY_FULL_GROUP_BY,NO_AUTO_VALUE_ON_ZERO,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"

install plugin auth_socket SONAME 'auth_socket.so';

CREATE USER 'employee_ext'@'localhost'
  IDENTIFIED WITH auth_socket AS 'my_auth_string';

CREATE USER 'employee'@'localhost'
  IDENTIFIED BY 'employee_pass';

GRANT PROXY
  ON 'employee'@'localhost'
  TO 'employee_ext'@'localhost';

select * from proxies_priv where Proxied_user='employee'\G
*************************** 1. row ***************************
        Host: localhost
        User: employee_ext
Proxied_host: localhost
Proxied_user: employee
  With_grant: 0
     Grantor: root@localhost
   Timestamp: 0000-00-00 00:00:00
1 row in set (0.00 sec)

Suggested fix:
Use the current timestamp when adding entries to the proxies_priv table.
[14 May 2016 18:58] MySQL Verification Team
Thank you for the bug report.

miguel@tikalbr:~/dbs$ ./57c
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.14-log Source distribution 2016-MAY-09

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql 5.7 > set global innodb_strict_mode = 1;
Query OK, 0 rows affected (0,00 sec)

mysql 5.7 > set global sql_mode = "ONLY_FULL_GROUP_BY,NO_AUTO_VALUE_ON_ZERO,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
    -> ;
Query OK, 0 rows affected (0,00 sec)

mysql 5.7 > install plugin auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected (0,06 sec)

mysql 5.7 > CREATE USER 'employee_ext'@'localhost'
    ->   IDENTIFIED WITH auth_socket AS 'my_auth_string';
Query OK, 0 rows affected (0,02 sec)

mysql 5.7 > CREATE USER 'employee'@'localhost'
    ->   IDENTIFIED BY 'employee_pass';
Query OK, 0 rows affected (0,04 sec)

mysql 5.7 > GRANT PROXY
    ->   ON 'employee'@'localhost'
    ->   TO 'employee_ext'@'localhost';
Query OK, 0 rows affected (0,04 sec)

mysql 5.7 > USE mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql 5.7 > select * from proxies_priv where Proxied_user='employee'\G
*************************** 1. row ***************************
        Host: localhost
        User: employee_ext
Proxied_host: localhost
Proxied_user: employee
  With_grant: 0
     Grantor: root@localhost
   Timestamp: 0000-00-00 00:00:00
1 row in set (0,00 sec)
[16 May 2016 4:14] monty solomon
FYI, this affects MySQL version 5.6 also.