Regression in privileges of mysql debian-sys-maint user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mysql-5.5 (Debian) |
Fix Released
|
Unknown
|
|||
mysql-5.5 (Ubuntu) |
Fix Released
|
High
|
Clint Byrum | ||
Precise |
Won't Fix
|
High
|
Unassigned | ||
Quantal |
Won't Fix
|
High
|
Unassigned |
Bug Description
1. Ubuntu release:
# lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04
2. Version of package
# apt-cache policy mysql-server
mysql-server:
Installed: 5.5.24-
Candidate: 5.5.24-
Version table:
*** 5.5.24-
500 http://
500 http://
100 /var/lib/
5.
500 http://
3. Expected behaviour
mysql debian-sys-maint user has all mysql priviliges.
4. What happened instead
mysql debian-sys-maint user has all mysql priviliges except create_tablespace, causing creation of new users and grant of *.* privileges to fail.
5. Details.
This bug concerns privileges granted to the debian-sys-maint user under Precise, which represents a regression as compared to Lucid and mysql-server-5.0.
Unde Lucid, the debian-sys-maint user has all privileges granted to it. This means it is possible for a package which needs to autoinstall without asking for password credentials interactively to use the debian-sys-maint user to create another user and grant that user appropriate privileges. On an appliance type install, the following might be used:
CREATE USER 'mypackageadmin
GRANT ALL PRIVILEGES ON *.* TO 'mypackageadmin
This approach succeeds on Lucid.
However, a change in Precise means that this process now fails. mysql 5.5 has added another privilege (create_
"To use GRANT, you must have the GRANT OPTION privilege, ***and you must have the privileges that you are granting.***" (my emphasis)
The grant of *.* privileges fails (I believe) because of the lack of the create_tablespace privileges (that is the only difference in privileges between that and the root user). This causes such packages to fail to install even if rebuilt on Precise. I can see no particular reason why the debian-sys-maint user should not have this privilege.
Changed in mysql-5.5 (Ubuntu): | |
importance: | Undecided → High |
Changed in mysql-5.5 (Ubuntu): | |
status: | Triaged → Fix Committed |
Changed in mysql-5.5 (Debian): | |
status: | Unknown → New |
Changed in mysql-5.5 (Debian): | |
status: | New → Fix Committed |
Changed in mysql-5.5 (Debian): | |
status: | Fix Committed → Fix Released |
I believe a patch like this (untested) will fix the issue