Bug #95256 MySQL 8.0.16 SYSTEM USER can be changed by DML
Submitted: 6 May 2019 8:07 Modified: 5 Aug 2019 11:41
Reporter: Zhao Jianwei Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:8.0.16 OS:Any
Assigned to: CPU Architecture:Any

[6 May 2019 8:07] Zhao Jianwei 
Description:
Hi, guys

On MySQL 8.0.16,  there is two category users  as regular user and system user,
system user can be protected  through SYSTEM_USER global privileges, but if regular user has DML privileges on MYSQL.GLOBAL_GRANTS, it can be promoted to system user by itself.

How to repeat:
See the test cases.
[6 May 2019 8:10] Zhao Jianwei 
test case

Attachment: t.test (application/octet-stream, text), 1.47 KiB.
[6 May 2019 12:14] MySQL Verification Team 
Hi,

Thanks for your report. This behavior is verified (and expected tbh). Now, it cannot be S2, we can consider this to be security bug, then it is S1 or it's behavior we don't like which can max be S3, but not S2 in any case. I'll drop it to S3 and I'll verify it but there is a big chance that design team will change this as not a bug.

Thanks
Bogdan
[5 Aug 2019 11:41] MySQL Verification Team 
Referring to:

https://mysqlserverteam.com/how-to-create-multiple-accounts-for-an-app/

reclassified as not a bug.