Bug 434794 - CREATE DATABASE permission bug
CREATE DATABASE permission bug
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mysql (Show other bugs)
All Linux
low Severity high
: rc
: ---
Assigned To: Tom Lane
Depends On:
  Show dependency treegraph
Reported: 2008-02-25 10:22 EST by Silecs SARL
Modified: 2013-07-02 23:17 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-25 22:04:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Silecs SARL 2008-02-25 10:22:18 EST
Description of problem:
CREATE DATABASE permission bug :
a normal mysql user with no CREATE DATABASE permission still 
can create a database with a name beginning with 'test_'

Version-Release number of selected component (if applicable): mysql 5.0.22

How reproducible:

Steps to Reproduce:
1. create a mysql user, with no particular permission
2. log in with it then try :
mysql> create database test_toto;
Query OK, 1 row affected (0.00 sec)

mysql> create database testtoto;
ERROR 1044 (42000): Access denied for user
'cm07lp_03'@'localhost' to database 'testtoto'

mysql> create database toto;
ERROR 1044 (42000): Access denied for user
'cm07lp_03'@'localhost' to database 'toto'

Trial 2 and 3 are OK : permission is rejected. 
Trial 1 is buggy : permission SHOULD BE rejected.

Additional info:
There are a lot of other bugs fixed in the upstream 5.0.x since 5.0.22.
Please upgrade to the newest upstream version.
Comment 1 Tom Lane 2008-05-25 22:04:19 EDT
This is not a bug, but intentional (if poorly documented) behavior on upstream's part.  Look into /usr/share/mysql/mysql_system_tables_data.sql.  If you don't like it you can remove the test\_% entry 
from mysql.db.
Comment 2 Silecs SARL 2008-05-28 05:55:11 EDT
Many thanks for your explanation. 
I finally found a reference in the Mysql Bugs DB : 
And in the documentation :
(not very well stressed !)

The most confusing thing is that the rule allows the CREATION of these
test_% database. 
I think the distros versions should at least turn the Create-priv field to 'N'.

Note You need to log in before you can comment on or make changes to this bug.