Skip to content
logo
Percona Platform
Too many accounts with SUPER privileges
Initializing search
    portal-doc
    portal-doc
    • Welcome
    • What's new
    • Registration and log in
    • Create and manage organizations
    • Check activity logs
    • Connect your PMM server
    • Advisor checks for PMM
    • Launch PMM environment
    • Network configuration
      • Copyright and licensing information
      • Trademark policy
    • Description
    • Resolution
    • Need more support from Percona?

    Too many accounts with SUPER privileges¶

    Description¶

    The SUPER privilege grants administrator privileges to a user and should be granted only to users who are supposed to act at MySQL instance level.

    The SUPER privilege:

    • Enables server configuration changes by modifying global system variables. For some system variables, setting the session value also requires the SUPER privilege.
      If a system variable is restricted and requires a special privilege to set the session value, the variable description indicates that restriction. Examples include binlog_format, sql_log_bin, and sql_log_off. For more information, see System Variable Privileges in the MySQL documentation.

    • Enables changes to global transaction characteristics. For more information, see SET TRANSACTION Statement in the MySQL documentation.

    • Enables the account to start and stop replication.
    • Enables use of the CHANGE MASTER TO statement.
    • Enables binary log control by means of the PURGE BINARY LOGS and BINLOG statements.
    • Enables setting the effective authorization ID when executing a view or stored program. A user with this privilege can specify any account in the DEFINER attribute of a view or stored program.
    • Enables use of the CREATE SERVER, ALTER SERVER, and DROP SERVER statements.
    • Enables use of the mysqladmin debug command.
    • Enables reading the DES key file by the DES_ENCRYPT() function.
    • Enables control over client connections not permitted to non-SUPER accounts:
      • Enables use of the KILL statement or mysqladmin kill command to kill threads belonging to other accounts. An account can always kill its own threads.
      • The server does not execute init_connect system variable content when SUPER clients connect.
      • The server accepts one connection from a SUPER client even if the connection limit configured by the max_connections system variable is reached.
      • Updates can be performed even when the read_only system variable is enabled. This applies to explicit table updates, and to use of account-management statements such as GRANT and REVOKE that update tables implicitly.

    Best Practices recommend assigning direct SUPER privileges to a single user, then use Roles to manage any other account who may need to have this high level of privilege.

    Resolution¶

    Revoke Super grants from the users who are not supposed to be MySQL instance administrators.

    Revoke super on *.* from user@'host';

    Need more support from Percona?¶

    Subscribe to Percona Platform to get database support with guaranteed SLAs or proactive database management services from the Percona team.

    Learn more

    Contact us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.

    2024-03-08
    Percona LLC and/or its affiliates, © 2024 Cookie Preferences
    Made with Material for MkDocs