Bug 434794

Summary: CREATE DATABASE permission bug
Product: Red Hat Enterprise Linux 5 Reporter: Silecs SARL <support>
Component: mysqlAssignee: Tom Lane <tgl>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: low    
Version: 5.0CC: byte, hhorak
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-26 02:04:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Silecs SARL 2008-02-25 15:22:18 UTC 
Description of problem:
CREATE DATABASE permission bug :
a normal mysql user with no CREATE DATABASE permission still 
can create a database with a name beginning with 'test_'


Version-Release number of selected component (if applicable): mysql 5.0.22


How reproducible:

Steps to Reproduce:
1. create a mysql user, with no particular permission
2. log in with it then try :
mysql> create database test_toto;
Query OK, 1 row affected (0.00 sec)

mysql> create database testtoto;
ERROR 1044 (42000): Access denied for user
'cm07lp_03'@'localhost' to database 'testtoto'

mysql> create database toto;
ERROR 1044 (42000): Access denied for user
'cm07lp_03'@'localhost' to database 'toto'


Trial 2 and 3 are OK : permission is rejected. 
Trial 1 is buggy : permission SHOULD BE rejected.


Additional info:
There are a lot of other bugs fixed in the upstream 5.0.x since 5.0.22.
Please upgrade to the newest upstream version.
Comment 1 Tom Lane 2008-05-26 02:04:19 UTC 
This is not a bug, but intentional (if poorly documented) behavior on upstream's part.  Look into /usr/share/mysql/mysql_system_tables_data.sql.  If you don't like it you can remove the test\_% entry 
from mysql.db.
Comment 2 Silecs SARL 2008-05-28 09:55:11 UTC 
Many thanks for your explanation. 
I finally found a reference in the Mysql Bugs DB : 
  http://bugs.mysql.com/bug.php?id=12638
And in the documentation :
  http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html
(not very well stressed !)

The most confusing thing is that the rule allows the CREATION of these
test_% database. 
I think the distros versions should at least turn the Create-priv field to 'N'.