The best thing you can do to understand this behaviour better is to ask the software vendor. If you don't want to grant those permissions, lodging a bug report might be appropriate.
I'm going to hazard a guess that EMS SQL Manager is trying to be too clever, and check whether you have Alter_routine_priv
or Create_routine_priv
so that it can return a warning or error before it tries sending your ALTER ROUTINE
to the database.
Most SQL Editors run lots of queries in the background to support "IntelliSense", speed up common queries, or provide background information, and a lot of the time they just don't make any sense (some of them are downright frightening).
The problem I see with what you propose is that a user who has the ability to grant privileges to other users... is, almost by definition, not a "limited" user.
You can't grant privileges at all without the GRANT
privilege, and even with that, you can't grant a specific privilege that you don't possess ... unless you have permission to manipulate the grant tables directly, in which case, you're not exactly a limited user either.
But, aha, here's your workaround.
Stored procedures run with the credentials of the user who defined them or as the explicitly-specified definer. (You have to have SUPER
to specify somebody else as DEFINER
.) Any user with the EXECUTE
privilege on a stored procedure can execute the procedure, and the procedure essentially escalates their privilege level while it is running.
If you wrap your administrative operations in (well-written) procedures, then you don't have to actually give the limited user permission to do anything, other than run the procedures.
DELIMITER $$
DROP PROCEDURE IF EXISTS `mysql`.`change_password` $$
-- root@localhost is an example; use an appropriate local user that has the
-- permissions that need to be available for the operation to succeed
CREATE DEFINER='root'@'localhost' PROCEDURE `mysql`.`change_password` (
IN dirty_user VARCHAR(16),
IN dirty_host VARCHAR(40),
IN dirty_password VARCHAR(41))
BEGIN
DECLARE encrypted_password TINYTEXT DEFAULT PASSWORD(dirty_password);
DECLARE clean_user TINYTEXT DEFAULT NULL;
DECLARE clean_host TINYTEXT DEFAULT NULL;
SELECT user, host
FROM mysql.user
WHERE user = dirty_user
AND host = dirty_host
INTO clean_user, clean_host;
IF clean_user IS NULL OR clean_host IS NULL THEN
SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'user/host provided does not exist';
END IF;
SET @_sql = CONCAT_WS('\'','SET PASSWORD FOR ',clean_user,'@',clean_host,' = ',encrypted_password,'');
PREPARE stmt FROM @_sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
SET @_sql = NULL;
END $$
DELIMITER ;
GRANT EXECUTE ON PROCEDURE mysql.change_password TO 'limited'@'%';
The 'limited'@'%' user can now change passwords for other users even though they don't have permission to do it themselves, by using CALL mysql.change_password('user','host','password');
.
This user does not have permissions themselves, but does have execute on the proc; they can't do it directly:
mysql> set password for 'wombat'@'localhost' = PASSWORD('secret');
ERROR 1044 (42000): Access denied for user 'limited'@'%' to database 'mysql'
... but they can do it this way. Note that "0 rows affected" is not a meaningful value.
mysql> call mysql.change_password('wombat','localhost','secret');
Query OK, 0 rows affected (0.00 sec)
Notes:
String-concatenated queries with input parameters are unacceptable, but the SET PASSWORD
statement does not accept ?
positional-parameters, so there's no choice here. To sanitize the inputs, I take care of the password by encrypting it in advance, outside the prepared statement, and concatenated the encrypted password there; I've sanitized the user and host by actually selecting them from the mysql.user table and using the values I've selected, also outside the prepared statement. If they aren't found, we can't set their password, so we throw an exception using SIGNAL
. If they are found, we concatenate the fetched values into the prepared statement, sanitizing them by this mechanism. It's still theoretically possible that bad data in the mysql.user table could render the quoting of the prepared statement invalid, but if you have bad data in the mysql.user table, then you have 2 problems (1 problem in addition to this one).
Any explicit GRANT EXECUTE
you've given at the procedure level disappears from the mysql.procs_priv
table if you drop and redefine the procedure, so if you make changes to the procedure, you have to re-grant the privileges to the limited user.
You need MySQL 5.5+ for the SIGNAL
statement to be valid. Below 5.5 you can replace it with a hack, something like CALL mysql.`change_password(): the user/host provided`; (note the backticks) which will throw a not quite as pretty, but still serviceable message complaining that the bogus procedure name quoted in the backticks... does not exist. Heh... ERROR 1305 (42000): PROCEDURE mysql.change_password(): the user/host provided does not exist
Best Answer
There is really nothing you can do to circumvent this. Why ???
Look at your third bulletpoint:
That bulletpoint is true for a user with
SUPER
privileges orroot@localhost
. Such a user cannot change a live connection's grants in full in the middle of an external or separate session. That has to be true even more so for a non-superuser.By definition, you should be able to revoke a privilege you could grant.
But look at the grants again
Notice that this user cannot give away its grants. Why not ??? The
WITH GRANT OPTION
is missing. So,theuser
cannot give away its grants to anyone else.What you are seeking is the opposite: to revoke the grants. In this case, you are revoking from yourself. Unfortunately, there is no such thing as
WITH REVOKE OPTION
.Switching to a database with
USE mydb
signals mysqld to trigger the reload oftheuser
's grants from all the grant tables (mysql.user
,mysql.db
,mysql.tables_priv
,mysql.columns_priv
). Doing this is far easier to implement that creating an option to revoke grants from a live connection (kinda like unsubscribing from a service that sends you email). Otherwise, grants would more frequently reload grants into RAM for mysqld or into a session's internal buffers. This would introduce some significant read traffic from these tables just for establishing grants.In light of all this, there are only fours things you can do:
USE mydb
(Best Option)SELECT
if the user istheuser