[MDEV-17945] mysql.db contains ghost users which allow some operations on them Created: 2018-12-09 Updated: 2018-12-11 Resolved: 2018-12-11 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Authentication and Privilege System |
| Affects Version/s: | 5.5, 10.0, 10.1, 10.2, 10.3, 10.4 |
| Fix Version/s: | N/A |
| Type: | Bug | Priority: | Minor |
| Reporter: | Elena Stepanova | Assignee: | Sergei Golubchik |
| Resolution: | Not a Bug | Votes: | 0 |
| Labels: | None | ||
| Description |
|
Anonymous users have been removed:
and the server knows they don't exist:
but RENAME or DROP still works:
nothing of course appears in mysql.user:
It happens because there is some contents in mysql.db (and it remains there even when anonymous users get dropped):
Now we can work the same way on user foo, etc. It appears strange. I suppose it was meant to be so once, but I'm not sure it still is. |
| Comments |
| Comment by Sergei Golubchik [ 2018-12-11 ] |
|
Yes, it's intentional. The structure of mysql.* privilege tables predates GRANT statement and it supports privilege configurations that cannot be created with GRANT/REVOKE or shown with SHOW GRANTS. They can be only created with INSERT/UPDATE/DELETE statements. And such a configuration was a default one in a newly installed server since before GRANT was implemented. It would be good to refactor privilege tables to support GRANT privilege model only, but the current behavior is definitely not a bug. |