Hi Michael,
you raised an interesting question.
I created a new account (testroot) I gave him all privileges - except the GRANT privilege.
GRANT ALL ON *.* TO 'testroot'@'%' IDENTIFIED BY 'xxx';
mysql> show grants for testroot;
+----------------------------------------------------------------------------------------------------------------------+
| Grants for [EMAIL PROTECTED] |
+----------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'testroot'@'%' IDENTIFIED BY PASSWORD
'*70d5f00b26968dc1967b0679b54b2e2d0479c55c96c1' |
+----------------------------------------------------------------------------------------------------------------------+
This is what I got when trying to revoke the mysql database privileges:
mysql> REVOKE ALL ON mysql.* FROM testroot; ERROR 1141: There is no such grant defined for user 'testroot' on host '%'
So this means that by default those users cant access the mysql privilege database anyway (which makes sense to me).
That's incorrect. The reason the REVOKE fails is because you have privileges listed for *.*, not for mysql.*. That's why where is no match. I believe that if you connect as testroot, you'll find that you can indeed access the mysql database.
Above is just a sample. Its probably not exactly what you are after, but I think the point about the privilege database becomes clearer.
For other databases I believe you have to define one at a time, which allows you to set it up exactly to your needs.
Hope that helps.
Best regards
Nils Valentin Tokyo/Japan
-- Paul DuBois, Senior Technical Writer Madison, Wisconsin, USA MySQL AB, www.mysql.com
Are you MySQL certified? http://www.mysql.com/certification/
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
