MySQL GRANT PROXY – what does it mean

MySQLPROXY

I run:

show grants for root@localhost;

and I see

 GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION

From mysql docs:

https://dev.mysql.com/doc/refman/5.5/en/proxy-users.html

This enables the external user to be a proxy for the second user; that
is, to have the privileges of the second user. In other words, the
external user is a “proxy user” (a user who can impersonate or become
known as another user) and the second user is a “proxied user” (a user
whose identity can be taken on by a proxy user).

But I am not understanding what they mean. I got the system from another worker who left the job and want to make sure if everything is secure and do not know if this grant is even needed. But if it does not make any security issues, I can leave it.

Can somebody explain in more simple way?

Update:

How can I connect as as another user? I was trying various combinations, of username password, but I cannot make it connect.

For example I used user root, but password from another user, which did not work. Tried another user and root password, also did not work.

Update:

Or this maybe means that root user can connect as other user? How to do that at least for example if so?

Best Answer

MySQL User Authentication is a rather lengthy process to explain. I refer you to my 3.5-year-old answer to MySQL error: Access denied for user 'a'@'localhost' (using password: YES) so you can see the steps a user takes to authenticate.

What the PROXY grant does is allow one user to masquerade as another user and bypass MySQL's normal but lengthy user authentication protocol.

Such proxy grants could be a security hole if one knew of this and started taking advantage of it. The quickest way to deactivate this would be to run

TRUNCATE TABLE mysql.proxies_priv;
FLUSH PRIVILEGES;

This will wipe out the current proxy privileges.

Afterwards, if you want to restrict proxy privileges, go to the OS and do this:

cd /var/lib/mysql/mysql
chmod -w proxies_priv.*

This will prevent new proxy privileges from being created.

GIVE IT A TRY !!!

Related Solutions

MySQL GRANT requiring additional permissions

The fundamental problem you have is this:

You cannot grant another user a privilege which you yourself do not have; the GRANT OPTION privilege enables you to assign only those privileges which you yourself possess.

^{— http://dev.mysql.com/doc/refman/5.6/en/grant.html}

This makes sense, since if it were otherwise, then you could just grant privileges to yourself.

There is one way around this, depending on how much flexibility you have with the calling code -- stored procedures can run with the credentials of the defining user (as opposed to the invoking user). If the calling system could call a procedure instead of using GRANT ..., then you can create a procedure that is executable by the restricted user, granting other privileges as appropriate.

Mysql – How to give root@localhost permission to grant privileges in MySQL

I have dealt with this issue before.

When you ran

select count(1) UserTableColumnCount from information_schema.columns
where table_schema='mysql' and table_name='user';

you should have gotten 42. That's how many columns MySQL 5.5 has for mysql.user. Since you got 39, that means you must have upgraded from MySQL 5.1. That has 39 columns.

I wrote an earlier post about the number of columns in mysql.user in different versions : MySQL service stops after trying to grant privileges to a user

Here is the post where I dealt with this : mysql: Restore All privileges to admin user

Hopefully you could run

# mysql_upgrade --upgrade-system-tables

to realign mysql.user and have it autofill missing permissions with Y.

Give it a Try !!!

If you want to try to fix the mysql.user manually, here are the steps:

#
# Backup the mysql.user table
#
CREATE TABLE mysql.user_backup LIKE mysql.user;
INSERT INTO mysql.user_backup SELECT * FROM mysql.user;
#
# Add Missing Columns
#
ALTER TABLE mysql.user 
    ADD COLUMN Create_tablespace_priv enum('N','Y') NOT NULL DEFAULT 'N'
    AFTER Trigger_Priv
;
ALTER TABLE mysql.user ADD COLUMN plugin char(64);
ALTER TABLE mysql.user ADD COLUMN authentication_string text DEFAULT NULL;
#
# Give root user all privileges
#
UPDATE mysql.user SET
Select_priv='Y',Insert_priv='Y',Update_priv='Y',Delete_priv='Y',
Create_priv='Y',Drop_priv='Y',Reload_priv='Y',Shutdown_priv='Y',
Process_priv='Y',File_priv='Y',Grant_priv='Y',References_priv='Y',
Index_priv='Y',Alter_priv='Y',Show_db_priv='Y',Super_priv='Y',
Create_tmp_table_priv='Y',Lock_tables_priv='Y',Execute_priv='Y',
Repl_slave_priv='Y',Repl_client_priv='Y',Create_view_priv='Y',
Show_view_priv='Y',Create_routine_priv='Y',Alter_routine_priv='Y',
Create_user_priv='Y',Event_priv='Y',Trigger_priv='Y',
Create_tablespace_priv='Y'
WHERE user='root';
FLUSH PRIVILEGES;

That's it !!!

Best Answer

GIVE IT A TRY !!!

Related Solutions

MySQL GRANT requiring additional permissions

Mysql – How to give root@localhost permission to grant privileges in MySQL

Related Question