Ubuntu
mysql-5.5 package

Regression in privileges of mysql debian-sys-maint user

Bug #1062716 reported by Alex Bligh
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-5.5 (Debian)
Fix Released
Unknown
mysql-5.5 (Ubuntu)
Fix Released
High
Clint Byrum
Ubuntu ubuntu-13.04-beta-1
Precise
Won't Fix
High
Unassigned
Quantal
Won't Fix
High
Unassigned

Bug Description

1. Ubuntu release:

# lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04

2. Version of package

# apt-cache policy mysql-server
mysql-server:
  Installed: 5.5.24-0ubuntu0.12.04.1
  Candidate: 5.5.24-0ubuntu0.12.04.1
  Version table:
 *** 5.5.24-0ubuntu0.12.04.1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     5.5.22-0ubuntu1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

3. Expected behaviour

mysql debian-sys-maint user has all mysql priviliges.

4. What happened instead

mysql debian-sys-maint user has all mysql priviliges except create_tablespace, causing creation of new users and grant of *.* privileges to fail.

5. Details.

This bug concerns privileges granted to the debian-sys-maint user under Precise, which represents a regression as compared to Lucid and mysql-server-5.0.

Unde Lucid, the debian-sys-maint user has all privileges granted to it. This means it is possible for a package which needs to autoinstall without asking for password credentials interactively to use the debian-sys-maint user to create another user and grant that user appropriate privileges. On an appliance type install, the following might be used:

CREATE USER 'mypackageadminuser'@'localhost' IDENTIFIED BY 'randomlygeneratedpassword';
GRANT ALL PRIVILEGES ON *.* TO 'mypackageadminuser'@'localhost' WITH GRANT OPTION;

This approach succeeds on Lucid.

However, a change in Precise means that this process now fails. mysql 5.5 has added another privilege (create_tablespace), and for some reason debiansysmaint does not have that. That means the second grant statement fails as (from the MySQL reference manual at http://dev.mysql.com/doc/refman/5.5/en/grant.html ):

"To use GRANT, you must have the GRANT OPTION privilege, ***and you must have the privileges that you are granting.***" (my emphasis)

The grant of *.* privileges fails (I believe) because of the lack of the create_tablespace privileges (that is the only difference in privileges between that and the root user). This causes such packages to fail to install even if rebuilt on Precise. I can see no particular reason why the debian-sys-maint user should not have this privilege.

Tags: patch
Revision history for this message
Alex Bligh (ubuntu-alex-org) wrote :

I believe a patch like this (untested) will fix the issue

Revision history for this message
Alex Bligh (ubuntu-alex-org) wrote :

Examples of other people stumbling across the same issue:
 http://serverfault.com/questions/386903/mysql-grant-option
 http://www.ajo.es/access-denied-for-user-debian-sys-maintlocalhost-using-password-yes_47/index.html

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch to add create_tablespace privilege" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Alex Bligh (ubuntu-alex-org) wrote :

The attached disgusting hack fixes the issue on existing installs.

Revision history for this message
Alex Bligh (ubuntu-alex-org) wrote :

Here's a far shorter and less disgusting workaround that does not involve changing and restoring the MySQL root password

Serge Hallyn (serge-hallyn)
Changed in mysql-5.5 (Ubuntu):
importance: Undecided → High
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

I did the port from 5.1 -> 5.5 and missed this. The fix seems quite straight forward. We should be able to go back and fix the privileges as well in the upgrade step of postinst.

Changed in mysql-5.5 (Ubuntu):
status: New → Triaged
assignee: nobody → Clint Byrum (clint-fewbar)
milestone: none → ubuntu-13.04-beta-1
Changed in mysql-5.5 (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
Changed in mysql-5.5 (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
Clint Byrum (clint-fewbar)
Changed in mysql-5.5 (Ubuntu):
status: Triaged → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in mysql-5.5 (Debian):
status: Unknown → New
Revision history for this message
Alex Bligh (ubuntu-alex-org) wrote :

Would an SRU for Precise be reasonable?

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Yes totally reasonable, hence the 'Triaged' status there. If we weren't going to fix it, there would be no precise task, or it would say "Won't Fix"

Revision history for this message
Alex Bligh (ubuntu-alex-org) wrote :

Oops - my apologies for my launchpad newbiness. I misunderstood the fact that the milestone entry said only "Ubuntu ubuntu-13.04-beta-1" to mean no SRU on 12.04.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.5 - 5.5.28-0ubuntu1

---------------
mysql-5.5 (5.5.28-0ubuntu1) raring; urgency=low

  [ Alex Bligh ]
  * debian/mysql-server-5.5.postinst: Add Create_tablespace_priv which
    was missed in the 5.1 -> 5.5 transition, and regressed GRANT
    privileges for the debian-sys-maint user. (LP: #1062716)

  [ Clint Byrum ]
  * d/rules: Build with debug symbols (LP: #1014872)
 -- Clint Byrum <email address hidden> Tue, 27 Nov 2012 03:50:57 -0800

Changed in mysql-5.5 (Ubuntu):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in mysql-5.5 (Debian):
status: New → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in mysql-5.5 (Debian):
status: Fix Committed → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in mysql-5.5 (Ubuntu Quantal):
status: Triaged → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in mysql-5.5 (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.