#3270 Revoking privileges when you lack 'ALL PRIVILEGES' youself

open
nobody
Privileges (64)
5
2014-07-01
2011-04-13
Herman van Rink
No

Case:
My dev super super had all global privilege boxes checked except for 'File', (using mysql 5.0 and 5.1)

When I tried to remove a database specific privilege for some user this silently failed.

The reason for this is that we try "REVOKE ALL PRIVILEGES ON `test` . * FROM 'piet'@'%';" first and then GRANT all the boxes the were checked.

Since my user did not have the 'File' privilege this was not allowed by mysql. In a comment it states "this query may fail, but this does not matter :o)" but I tend to disagree.

I'm afraid there has to be some code to revoke all privileges that were not selected in the form.

Discussion

1 2 3 > >> (Page 1 of 3)
  • Marc Delisle
    Marc Delisle
    2011-04-17

    Herman,
    here is what I tried on 3.4.0-rc1 and MySQL 5.1.55 (all done as root)
    1. create user herman with all global privileges except FILE
    2. give him SELECT and INSERT privilege on database X
    3. remove the INSERT privilege on database X: it worked
    4. revoke all his privileges on database X: it worked

    I don't understand "my dev super super".

     
  • These steps worked for you because you were logged in as root, which has all privileges.

    Te replicate this you should login as your herman user, and then try steps 2-4 on some random unprivileged user.

     
  • Marc Delisle
    Marc Delisle
    2011-04-17

    For me it works also while logged on as the herman user who has all global privileges except FILE.

     
  • Marc Delisle
    Marc Delisle
    2011-04-19

    • assigned_to: nobody --> lem9
    • status: open --> pending
     
  • I've replicated the problem om the demo server, please login using user helmo with password "LFus4X968q4jABBw"

    Then just try to remove the global UPDATE privilege for user piet.

    When you have AJAX enabled it at first looks like the UPDATE privilege is dropped since the user table again shows 'USAGE' for piet. However when you refresh it's back.

     
    • status: pending --> open
     
  • Marc Delisle
    Marc Delisle
    2011-04-20

    Ok but all this time (in your initial bug report and my subsequent interventions), we were not talking about changing global privileges, just database-specific privileges.

    Do you still have problems changing db-specific privileges?

     
  • Marc Delisle
    Marc Delisle
    2011-04-20

    • assigned_to: lem9 --> nobody
     
  • Hmm, I was convinced that I experienced this for db-specific and global privileges.

    But as it stands I'm only able to reproduce this for global privs

     
  • Marc Delisle
    Marc Delisle
    2011-04-20

    Herman,
    are you asking for phpMyAdmin to not silently fail on this, or for a workaround so that your "almost privileged" user can remove a global privilege that he does not possess himself?

     
1 2 3 > >> (Page 1 of 3)