Mysql – how to “revoke” a “GRANT OPTION” from an thesql user/database

linuxMySQLmysql-5.5

i have a mysql installation with lots of users and grants. But one grant is unique, since its supposed to be a simple DB user and usually does not need GRANT privileges. However someone added it when the account where added. It looks like this:

GRANT USAGE ON *.* TO 'freg2'@'%' IDENTIFIED BY PASSWORD '*XXXXX';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, \
    REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, \
    LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, \
    CREATE ROUTINE, ALTER ROUTINE \
    ON `freg2`.* TO 'freg2'@'%' WITH GRANT OPTION;

I searched the net (and this site) for a solution on how to remove that "GRANT OPTION" thingy, without recreating the whole grant/account . so far without luck.

Is there really no way just to remove "this" privilege or right from that account ?

thanks in advance.

Best Answer

Just as usual...

root@localhost:playground > grant select, grant option on playground.* to asdf@localhost identified by 'asdf';
Query OK, 0 rows affected (0.02 sec)

root@localhost:playground > show grants for asdf@localhost;
+-------------------------------------------------------------------------------------------------------------+
| Grants for asdf@localhost                                                                                   |
+-------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'asdf'@'localhost' IDENTIFIED BY PASSWORD '*7F0C90A004C46C64A0EB9DDDCE5DE0DC437A635C' |
| GRANT SELECT ON `playground`.* TO 'asdf'@'localhost' WITH GRANT OPTION                                      |
+-------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

root@localhost:playground > revoke grant option on playground.* from asdf@localhost;
Query OK, 0 rows affected (0.00 sec)

root@localhost:playground > show grants for asdf@localhost;
+-------------------------------------------------------------------------------------------------------------+
| Grants for asdf@localhost                                                                                   |
+-------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'asdf'@'localhost' IDENTIFIED BY PASSWORD '*7F0C90A004C46C64A0EB9DDDCE5DE0DC437A635C' |
| GRANT SELECT ON `playground`.* TO 'asdf'@'localhost'                                                        |
+-------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

The manual is also as always very helpful.

Related Solutions

Mysql – Grant table privileges to a user connecting from any host

When you execute GRANT SELECT ON store.catalog TO 'wordpress'@'%';, mysqld wants to insert a row into the grant table mysql.tables_priv. Here is mysql.tables_priv:

mysql> show create table mysql.tables_priv\G
*************************** 1. row ***************************
       Table: tables_priv
Create Table: CREATE TABLE `tables_priv` (
  `Host` char(60) COLLATE utf8_bin NOT NULL DEFAULT '',
  `Db` char(64) COLLATE utf8_bin NOT NULL DEFAULT '',
  `User` char(16) COLLATE utf8_bin NOT NULL DEFAULT '',
  `Table_name` char(64) COLLATE utf8_bin NOT NULL DEFAULT '',
  `Grantor` char(77) COLLATE utf8_bin NOT NULL DEFAULT '',
  `Timestamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  `Table_priv` set('Select','Insert','Update','Delete','Create','Drop','Grant','References','Index','Alter','Create View','Show view','Trigger') CHARACTER SET utf8 NOT NULL DEFAULT '',
  `Column_priv` set('Select','Insert','Update','References') CHARACTER SET utf8 NOT NULL DEFAULT '',
  PRIMARY KEY (`Host`,`Db`,`User`,`Table_name`),
  KEY `Grantor` (`Grantor`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Table privileges'
1 row in set (0.00 sec)

mysql>

Since you want to insert a row into mysql.table_priv where user='wordpress' and host='%', there has to exist a row in mysql.user where user='wordpress' and host='%'.

You also mentioned that you are using MySQL Workbench. You must be using 'root'@'localhost'. That would usually have all rights and a password.

If you want to just allow anonymous SELECT against that table, first run this:

GRANT USAGE ON *.* TO 'wordpress'@'%';

This will place wordpress@'%' into mysql.user. Afterwards, GRANT SELECT ON store.catalog TO 'wordpress'@'%' should run just fine.

You will have to see what other wordpress entries are in mysql.user. This should show what SQL GRANT commands you need:

SELECT CONCAT('GRANT SELECT ON store.catalog TO ',userhost,';') GrantCommand
FROM
(
    SELECT CONCAT('''',user,'''@''',host,'''') userhost
    FROM mysql.user WHERE user='wordpress'
) A;

Mysql – How to disable anonymous login

I figured it out. While /etc/mysql/my.cnf didn't have a password keypair stored, there was a password stored in /root/.my.cnf.

As soon as I commented out the password in /root/.my.cnf, I was not allowed to log in without a password (which is what I expected).

Best Answer

Related Solutions

Mysql – Grant table privileges to a user connecting from any host

Mysql – How to disable anonymous login

Related Question