Tuesday, April 19, 2011

Explaining what the default PROXY privilege for root does

In a default MySQL 5.5.8 installation there is one PROXY privilege:

GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION

What this does is:
If USER() and CURRENT_USER() don't match root is still allowed to grant the proxy privilege.

So if you connect using someuser@localhost using LDAP and LDAP tells you're root then you're still allowed to grant proxy privileges. This will only work if your user has the privilege to proxy to root.

The documentation for PROXY is here.

No comments:

Post a Comment