Bug 434794 - CREATE DATABASE permission bug
Summary: CREATE DATABASE permission bug
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mysql
Version: 5.0
Hardware: All
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Tom Lane
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-25 15:22 UTC by Silecs SARL
Modified: 2013-07-03 03:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-26 02:04:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Silecs SARL 2008-02-25 15:22:18 UTC
Description of problem:
CREATE DATABASE permission bug :
a normal mysql user with no CREATE DATABASE permission still 
can create a database with a name beginning with 'test_'


Version-Release number of selected component (if applicable): mysql 5.0.22


How reproducible:

Steps to Reproduce:
1. create a mysql user, with no particular permission
2. log in with it then try :
mysql> create database test_toto;
Query OK, 1 row affected (0.00 sec)

mysql> create database testtoto;
ERROR 1044 (42000): Access denied for user
'cm07lp_03'@'localhost' to database 'testtoto'

mysql> create database toto;
ERROR 1044 (42000): Access denied for user
'cm07lp_03'@'localhost' to database 'toto'


Trial 2 and 3 are OK : permission is rejected. 
Trial 1 is buggy : permission SHOULD BE rejected.


Additional info:
There are a lot of other bugs fixed in the upstream 5.0.x since 5.0.22.
Please upgrade to the newest upstream version.

Comment 1 Tom Lane 2008-05-26 02:04:19 UTC
This is not a bug, but intentional (if poorly documented) behavior on upstream's part.  Look into /usr/share/mysql/mysql_system_tables_data.sql.  If you don't like it you can remove the test\_% entry 
from mysql.db.


Comment 2 Silecs SARL 2008-05-28 09:55:11 UTC
Many thanks for your explanation. 
I finally found a reference in the Mysql Bugs DB : 
  http://bugs.mysql.com/bug.php?id=12638
And in the documentation :
  http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html
(not very well stressed !)

The most confusing thing is that the rule allows the CREATION of these
test_% database. 
I think the distros versions should at least turn the Create-priv field to 'N'.


Note You need to log in before you can comment on or make changes to this bug.