Regression in privileges of mysql debian-sys-maint user

Bug #1062716 reported by Alex Bligh on 2012-10-06
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-5.5 (Debian)
Fix Released
Unknown
mysql-5.5 (Ubuntu)
High
Clint Byrum
Precise
High
Unassigned
Quantal
High
Unassigned

Bug Description

1. Ubuntu release:

# lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04

2. Version of package

# apt-cache policy mysql-server
mysql-server:
  Installed: 5.5.24-0ubuntu0.12.04.1
  Candidate: 5.5.24-0ubuntu0.12.04.1
  Version table:
 *** 5.5.24-0ubuntu0.12.04.1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     5.5.22-0ubuntu1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

3. Expected behaviour

mysql debian-sys-maint user has all mysql priviliges.

4. What happened instead

mysql debian-sys-maint user has all mysql priviliges except create_tablespace, causing creation of new users and grant of *.* privileges to fail.

5. Details.

This bug concerns privileges granted to the debian-sys-maint user under Precise, which represents a regression as compared to Lucid and mysql-server-5.0.

Unde Lucid, the debian-sys-maint user has all privileges granted to it. This means it is possible for a package which needs to autoinstall without asking for password credentials interactively to use the debian-sys-maint user to create another user and grant that user appropriate privileges. On an appliance type install, the following might be used:

CREATE USER 'mypackageadminuser'@'localhost' IDENTIFIED BY 'randomlygeneratedpassword';
GRANT ALL PRIVILEGES ON *.* TO 'mypackageadminuser'@'localhost' WITH GRANT OPTION;

This approach succeeds on Lucid.

However, a change in Precise means that this process now fails. mysql 5.5 has added another privilege (create_tablespace), and for some reason debiansysmaint does not have that. That means the second grant statement fails as (from the MySQL reference manual at http://dev.mysql.com/doc/refman/5.5/en/grant.html ):

"To use GRANT, you must have the GRANT OPTION privilege, ***and you must have the privileges that you are granting.***" (my emphasis)

The grant of *.* privileges fails (I believe) because of the lack of the create_tablespace privileges (that is the only difference in privileges between that and the root user). This causes such packages to fail to install even if rebuilt on Precise. I can see no particular reason why the debian-sys-maint user should not have this privilege.

Alex Bligh (ubuntu-alex-org) wrote :

I believe a patch like this (untested) will fix the issue

The attachment "Patch to add create_tablespace privilege" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Alex Bligh (ubuntu-alex-org) wrote :

The attached disgusting hack fixes the issue on existing installs.

Alex Bligh (ubuntu-alex-org) wrote :

Here's a far shorter and less disgusting workaround that does not involve changing and restoring the MySQL root password

Changed in mysql-5.5 (Ubuntu):
importance: Undecided → High
Clint Byrum (clint-fewbar) wrote :

I did the port from 5.1 -> 5.5 and missed this. The fix seems quite straight forward. We should be able to go back and fix the privileges as well in the upgrade step of postinst.

Changed in mysql-5.5 (Ubuntu):
status: New → Triaged
assignee: nobody → Clint Byrum (clint-fewbar)
milestone: none → ubuntu-13.04-beta-1
Changed in mysql-5.5 (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
Changed in mysql-5.5 (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
Changed in mysql-5.5 (Ubuntu):
status: Triaged → Fix Committed
Changed in mysql-5.5 (Debian):
status: Unknown → New
Alex Bligh (ubuntu-alex-org) wrote :

Would an SRU for Precise be reasonable?

Clint Byrum (clint-fewbar) wrote :

Yes totally reasonable, hence the 'Triaged' status there. If we weren't going to fix it, there would be no precise task, or it would say "Won't Fix"

Alex Bligh (ubuntu-alex-org) wrote :

Oops - my apologies for my launchpad newbiness. I misunderstood the fact that the milestone entry said only "Ubuntu ubuntu-13.04-beta-1" to mean no SRU on 12.04.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.5 - 5.5.28-0ubuntu1

---------------
mysql-5.5 (5.5.28-0ubuntu1) raring; urgency=low

  [ Alex Bligh ]
  * debian/mysql-server-5.5.postinst: Add Create_tablespace_priv which
    was missed in the 5.1 -> 5.5 transition, and regressed GRANT
    privileges for the debian-sys-maint user. (LP: #1062716)

  [ Clint Byrum ]
  * d/rules: Build with debug symbols (LP: #1014872)
 -- Clint Byrum <email address hidden> Tue, 27 Nov 2012 03:50:57 -0800

Changed in mysql-5.5 (Ubuntu):
status: Fix Committed → Fix Released
Changed in mysql-5.5 (Debian):
status: New → Fix Committed
Changed in mysql-5.5 (Debian):
status: Fix Committed → Fix Released
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in mysql-5.5 (Ubuntu Quantal):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.