Search code examples
mysqlprivileges

MySQL permissions to see all databases

I have a few users on my server who have access to every MySQL database. I'm trying to revoke privileges but I'm not sure how to go about it.

For example: I have a user bob who has access to every database on my server. I run the following to see which privileges bob has:

mysql -e "select * from information_schema.user_privileges;" | grep bob
'bob'@'%'       def     SELECT  NO
'bob'@'%'       def     INSERT  NO
'bob'@'%'       def     UPDATE  NO
'bob'@'%'       def     DELETE  NO
'bob'@'%'       def     CREATE  NO
'bob'@'%'       def     FILE    NO
'bob'@'%'       def     CREATE USER     NO

Nothing jumps out like GRANT, ALL or SUPER. I create a new database sometest, switch to bob's account and see that bob has access to sometest. Not sure what I am missing here.

Edit: I ran SHOW GRANTS FOR 'bob'@'%'; and see:

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN,
  PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, 
  LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, 
  CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE 
  ON *.* TO 'bob'@'%'

1) How does one drop this permission? I assume if I run:

REVOKE SELECT, INSERT,... on *.* to 'bob'@'%';

it will remove permissions like

GRANT ALL ON bobsdb.* TO 'bob'@'%';

which I don't want to happen. But maybe it's best to just remove all privileges and build them back up from scratch.

2) How does one identify all permissions like this? Do I have to look over every user?

Solution

  • You should be able to view the users' grants using the command:

    SHOW GRANTS FOR 'bob'@'localhost';

    From the MySQL manual:

    The SHOW DATABASES privilege enables the account to see database names by issuing the SHOW DATABASE statement. Accounts that do not have this privilege see only databases for which they have some privileges, and cannot use the statement at all if the server was started with the --skip-show-database option. Note that any global privilege is a privilege for the database.

    If SHOW DATABASES is enabled, revoke that permission.

    REVOKE SHOW DATABASES ON *.* FROM 'bob'@'localhost';

    Lastly, reload all the privileges using the command:

    FLUSH PRIVILEGES;

    (or restart MySQL - if that's an option - often it's not).

    P.S: You might need to replace 'localhost' with your db hostname.

    Some references:

    Edit:

    To answer your questions:

    1) How does one drop this permission? I assume if I run: REVOKE SELECT, INSERT,... on *.* to 'bob'@'%';

    You could simply run REVOKE ALL ON *.* TO 'bob'@'%';

    2) How does one identify all permissions like this? Do I have to look over every user?

    See this blog post. Disclamer: I am not associated with this blog.