Bug #95256 MySQL 8.0.16 SYSTEM USER can be changed by DML
Submitted: 6 May 8:07 Modified: 5 Aug 11:41
Reporter: Zhao Jianwei Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:8.0.16 OS:Any
Assigned to: CPU Architecture:Any

[6 May 8:07] Zhao Jianwei
Description:
Hi, guys

On MySQL 8.0.16,  there is two category users  as regular user and system user,
system user can be protected  through SYSTEM_USER global privileges, but if regular user has DML privileges on MYSQL.GLOBAL_GRANTS, it can be promoted to system user by itself.

How to repeat:
See the test cases.
[6 May 8:10] Zhao Jianwei
test case

Attachment: t.test (application/octet-stream, text), 1.47 KiB.

[6 May 12:14] Bogdan Kecman
Hi,

Thanks for your report. This behavior is verified (and expected tbh). Now, it cannot be S2, we can consider this to be security bug, then it is S1 or it's behavior we don't like which can max be S3, but not S2 in any case. I'll drop it to S3 and I'll verify it but there is a big chance that design team will change this as not a bug.

Thanks
Bogdan
[5 Aug 11:41] Bogdan Kecman
Referring to:

https://mysqlserverteam.com/how-to-create-multiple-accounts-for-an-app/

reclassified as not a bug.