Hi All!

Here is a funny thing I come across when investigating our privilege control
system. Consider the following situation:

mysql> GRANT ALL ON `%o`.* TO rafal;
mysql> GRANT SELECT ON foo.* TO rafal;

The intention is that rafal has all privileges for all objects in databases
whose name ends with 'o' but he has read-only access to the tables in the 'foo'
database.

Now imagine DBA decides that rafal should no longer be able to see the data
inside the foo database. Then he might issue command

mysql> REVOKE ALL ON foo.* FROM rafal;

and... tada! rafal has all rights to all tables inside database 'foo'.

The reason is that REVOKE command, when it sees that all rights have been
revoked, removes the corresponding entry in the privilege table inside mysql
database (mysql.db in that case). But removing such entry doesn't mean that all
rights will be taken away, since, as this example illustrates, some other entry
can apply after removing that one and in fact give more rights than before!

A solution would be to not remove any entries when REVOKE is executed - just
clear the corresponding flags in the existing entry.

Best,
Rafal