Comments on: MySQL security: inconsistencies

By: Giuseppe Maxia

Giuseppe Maxia — Wed, 22 Jun 2011 11:07:52 +0000

Thanks foe this post! It triggered some memories.
There are a few not well known fact about “WITH GRANT OPTION”.
http://datacharmer.blogspot.com/2011/06/less-known-facts-about-mysql-user.html

By: shlomi

shlomi — Wed, 22 Jun 2011 08:05:22 +0000

@Daniël,

oops, will do.

@Peter,
You can also see it in the INFORMATION_SCHEMA.TABLE_PRIVILEGES table:
there is a IS_GRANTABLE column, which makes the table to be in 2nd normal form.

It *looks* as if eash privilige can be assigned with IS_GRANTABLE of its own, but this is not the case.

By: Peter Laursen

Peter Laursen — Wed, 22 Jun 2011 07:56:17 +0000

@Shlomi ..

Most of this is known and have been discussed various places before (in Blogs, MySQL Forums and bugs.mysql). But ther is one particular good catch the I did not notice before myself and that is:

root@mysql-5.1.51> GRANT INSERT, DELETE, UPDATE ON world.City TO ‘gromit’@’localhost’;
root@mysql-5.1.51> GRANT SELECT ON world.City TO ‘gromit’@’localhost’ WITH GRANT OPTION;

.. what results in
GRANT SELECT, INSERT, UPDATE, DELETE ON `world`.`City` TO ‘gromit’@’localhost’ WITH GRANT OPTION

.. so “GRANT OPTION” cannot be narrowed to a subset of user’s privileges on a database object. It has effect for all or none privileges. If it is supposed to be like this then the commandline syntax is confusing. GUI tools (those I know) are actually less confusing in this respect than commandline.

By: Daniël van Eeden

Daniël van Eeden — Wed, 22 Jun 2011 07:55:38 +0000

Did you file a bug for the missing I_S table for procs_priv?