I have discovered a difference between show grants for user@host and the mysql.db table. Why is this?
How can I resolve this? We are worried about security.
I ran a show grants against users in mysql.users. In mysql.users the user is user@xxx.xxx.xxx.xx and when I run show grants it says GRANT USAGE TO user@xxx.xxx.xxx.xx
This worried me as this user also seems to be able to access a database.
When I looked in mysql.db and information_schema.schema_privileges I can see the same user as user with a host of xxx.xxx.% with full access to that database.
What gives?
Edit – Deeper Explanation:
Here is what I have:
show grants for 'myuser'@'xxx.xxx.xxx.xxx';
It returns:
GRANT USAGE ON *.* TO 'myuser'@'xxx.xxx.xxx.xxx' IDENTIFIED BY PASSWORD 'xxxxxxxxxxxxxxxxx'
If I run:
select host,db,user from mysql.db where user='myuser';
I get:
+----------+------------+------------+
| host | db | user |
+----------+------------+------------+
|xxx.xxx.% | somedb | myuser |
+----------+------------+------------+
Don’t worry.
The
mysql.usertable mitigates specific global privileges on all databases.If a user is restricted to a specific database, you will only see database specific grants in the mysql.db table. A user restricted to a database does not need SUPER, PROCESS, SHUTDOWN, and privileges like these.
If you create a user withglobal privileges (thus landing the user in
mysql.user), you cannot revoke global privileges only to demote the user to a specfic database. If you try to do so with REVOKE commands, you will see the user inmysql.userwith the original Y values on all columns and the same user inmysql.dbwith Y values on database specific privileges.You must completely drop the user and create the user fresh with the lower privileges.
Here is an example based on the comments
The GRANT USAGE simply allows you to know what MD5 password is involved with authentication (if the password is not blank). Note that advdb can login from any IP address and only access the advertpro database.
The user does not need PROCESS privilege unless you want the user to see all processes in the processlist, even the one that belong to others.
The user does not need SUPER privilege unless you want the user to write in a read-only mysql instance, start and stop replication, zap binary logs, and things like these.
The user does not need SHUTDOWN privilege unless you want the user to shutdown mysql from the OS command line user the mysqladmin client program.
To copy the priv you are looking for,
SHOW GRANTS FOR 'user'@'xxx.xxx.xxx.%';OK let’s hack that:
This should it !!!
To dump the MySQL Grants in SQL, you can do
pt-show-grantsIt is much better to port the mysql grants using pt-show-grants.
Here is my personal emulation of what pt-show-grants does