MySQL SYSTEM_USER Dynamic Privilege
To change users, you essential have the CREATE USER privilege or the UPDATE privilege on the mysql schema. We have added the SYSTEM_USER active privilege to make it thinkable to protect users contrary to the first case: alteration by other users who have the CREATE USER privilege. An account that has the SYSTEM_USER privilege cannot be changed by an account that does not have SYSTEM_USER, even if that version has CREATE USER.
In this blog we cover the first use case. Averting users from being altered by accounts that have the ‘UPDATE’ privilege on the mysql schema is covered in following blog post.
How the SYSTEM_USER privilege work?
The SYSTEM_USER privilege imposes the contract that if you are changing a user who is approved the SYSTEM_USER privilege, then in addition to the privileges essential to modify users, you also want to have the SYSTEM_USER privilege. In other arguments, a user who has the SYSTEM_USER and CREATE USER privileges can change users who have the SYSTEM_USER privilege.
Let us realize better through cases:
As root, generate two users. One user has the CREATE USER privilege and the other has the SYSTEM_USER privilege.
Now, try to change the password of the elite_user from the admin_user.
Go back to the root user session and generate another user who has both privileges.
Try to modify power_user through the newly created user.
What if a privilege is approved over the roles?
If a role is decided to a user, then the user gets the abilities of the role in a given session only after triggering that role. If a user is not approved SYSTEM_USER directly but only done one or more roles, sessions for the user do not have SYSTEM_USER without a role with SYSTEM_USER is triggered. Once such a role is triggered, the user becomes proficient of altering other users who have the SYSTEM_USER privilege.
Let us recognize through samples.
Produce a role that has the SYSTEM_USER privilege. Funding that role to admin_user who we created in the preceding sample.
Even through the role is approved to the admin_user, that user is able to modify elite_user only after initiating that role.
When can the SYSTEM_USER privilege be approved to or cancels from other users?
Only if you have the SYSTEM_USER privilege approved with GRANT OPTION. As we can realize even if the user takes the SUPER privilege with GRANT OPTION it cannot retract SYSTEM_USER from the other user.
If the user has SYSTEM_USER with GRANT OPTION, it becomes able to cancel SYSTEM_USER from the added user.
Can you intensify the privileges through the function or kept programs?
If you have the SET_USER_ID privilege, then you can produce a kept program with the DEFINER attribute and set the DEFINER attribute to any user.
It means you could grant yourself the SYSTEM_USER privilege by requiring the user in definer attribute who has SYSTEM_USER, ingenious, no?
Well, not actually. To set the DEFINER to a worker who has the SYSTEM_USER privilege you must also have the SYSTEM_USER privilege in supplementary the SET_USER_ID privilege.
Let us recognize through samples:
There are three workers. As shown here, admin_user has privileges to generate stored programs, elite_user can complete programs and has SYSTEM_USER, and regular_user can complete programs but does not have SYSTEM_USER.
admin_user tries to create a stored program using a definer that has the SYSTEM_USER privilege but it gets an error.
Trying to grant the SYSTEM_USER privilege within the kept program is also blocked.
The performance of other database objects that admits the DEFINER attribute is alike to what is verified above. These objects are: function, view, trigger, event.
There will be exciting situations in case of roles. I should not have exciting all by yourself, so I leave those situations for you to attempt.
In this blog post we educated the resolve of SYSTEM_USER privilege and how does it work.