MDEV-18297 How to reset a forgotten root password

After FLUSH PRIVILEGES remember if the connection started under
--skip-grant-tables and keep it all-powerful, not a lowly anonymous.

One could use this connection to reset passwords as needed.

Also fix a crash in SHOW CREATE USER

5 files changed, 62 insertions, 40 deletions

diff --git a/mysql-test/main/skip_grants.result b/mysql-test/main/skip_grants.result
index de263074b61..9710f643acb 100644
--- a/mysql-test/main/skip_grants.result
+++ b/mysql-test/main/skip_grants.result
@@ -1,14 +1,4 @@
 use test;
-DROP VIEW IF EXISTS v1;
-DROP VIEW IF EXISTS v2;
-DROP VIEW IF EXISTS v3;
-DROP TABLE IF EXISTS t1;
-DROP PROCEDURE IF EXISTS p1;
-DROP PROCEDURE IF EXISTS p2;
-DROP PROCEDURE IF EXISTS p3;
-DROP FUNCTION IF EXISTS f1;
-DROP FUNCTION IF EXISTS f2;
-DROP FUNCTION IF EXISTS f3;
 CREATE TABLE t1(c INT);
 CREATE TRIGGER t1_bi BEFORE INSERT ON t1
 FOR EACH ROW
@@ -95,3 +85,29 @@ Acl_role_grants	0
 Acl_roles	0
 Acl_table_grants	0
 Acl_users	0
+show create user root@localhost;
+ERROR HY000: The MariaDB server is running with the --skip-grant-tables option so it cannot execute this statement
+insert mysql.global_priv values ('foo', 'bar', '{}');
+insert mysql.global_priv values ('baz', 'baz', '{"plugin":"baz"}');
+set password for bar@foo = password("pass word");
+ERROR HY000: The MariaDB server is running with the --skip-grant-tables option so it cannot execute this statement
+flush privileges;
+show create user root@localhost;
+CREATE USER for root@localhost
+CREATE USER 'root'@'localhost'
+show create user bar@foo;
+CREATE USER for bar@foo
+CREATE USER 'bar'@'foo'
+show create user baz@baz;
+CREATE USER for baz@baz
+CREATE USER 'baz'@'baz' IDENTIFIED VIA baz
+set password for bar@foo = password("pass word");
+show create user bar@foo;
+CREATE USER for bar@foo
+CREATE USER 'bar'@'foo' IDENTIFIED BY PASSWORD '*EDBBEA7F4E7B5D8B0BC8D7AC5D1936FB7DA10611'
+alter user baz@baz identified with mysql_native_password as password("baz");
+show create user baz@baz;
+CREATE USER for baz@baz
+CREATE USER 'baz'@'baz' IDENTIFIED BY PASSWORD '*E52096EF8EB0240275A7FE9E069101C33F98CF07'
+drop user bar@foo;
+drop user baz@baz;
diff --git a/mysql-test/main/skip_grants.test b/mysql-test/main/skip_grants.test
index 5f79404e7e4..ccad3c2d13f 100644
--- a/mysql-test/main/skip_grants.test
+++ b/mysql-test/main/skip_grants.test
@@ -15,26 +15,6 @@ use test;
 #   - BUG#13504: creation view with DEFINER clause if --skip-grant-tables
 #
 
-# Prepare.
-
---disable_warnings
-
-DROP VIEW IF EXISTS v1;
-DROP VIEW IF EXISTS v2;
-DROP VIEW IF EXISTS v3;
-
-DROP TABLE IF EXISTS t1;
-
-DROP PROCEDURE IF EXISTS p1;
-DROP PROCEDURE IF EXISTS p2;
-DROP PROCEDURE IF EXISTS p3;
-
-DROP FUNCTION IF EXISTS f1;
-DROP FUNCTION IF EXISTS f2;
-DROP FUNCTION IF EXISTS f3;
-
---enable_warnings
-
 # Test case.
 
 CREATE TABLE t1(c INT);
@@ -137,3 +117,26 @@ select no_such_function(1);
 # MDEV-8280 crash in 'show global status' with --skip-grant-tables
 #
 show global status like 'Acl%';
+
+#
+# MDEV-18297
+# How to reset a forgotten root password
+#
+--error ER_OPTION_PREVENTS_STATEMENT
+show create user root@localhost;
+insert mysql.global_priv values ('foo', 'bar', '{}');
+insert mysql.global_priv values ('baz', 'baz', '{"plugin":"baz"}');
+--error ER_OPTION_PREVENTS_STATEMENT
+set password for bar@foo = password("pass word");
+flush privileges;
+show create user root@localhost;
+show create user bar@foo;
+show create user baz@baz;
+set password for bar@foo = password("pass word");
+show create user bar@foo;
+alter user baz@baz identified with mysql_native_password as password("baz");
+show create user baz@baz;
+drop user bar@foo;
+drop user baz@baz;
+# need to restart the server to restore the --skip-grant state
+--source include/restart_mysqld.inc
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index ee07bfd2680..b441356df26 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -2557,6 +2557,7 @@ static bool acl_load(THD *thd, const Grant_tables& tables)
 
   init_check_host();
 
+  thd->bootstrap= !initialized; // keep FLUSH PRIVILEGES connection special
   initialized=1;
   DBUG_RETURN(FALSE);
 }
@@ -8908,6 +8909,11 @@ bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
   uint head_length;
   DBUG_ENTER("mysql_show_create_user");
 
+  if (!initialized)
+  {
+    my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--skip-grant-tables");
+    DBUG_RETURN(TRUE);
+  }
   if (check_show_access(thd, lex_user, &username, &hostname, NULL))
     DBUG_RETURN(TRUE);
 
diff --git a/sql/sql_db.cc b/sql/sql_db.cc
index fcf07f7f920..61d8f12deaa 100644
--- a/sql/sql_db.cc
+++ b/sql/sql_db.cc
@@ -882,7 +882,7 @@ mysql_rm_db_internal(THD *thd, const LEX_CSTRING *db, bool if_exists, bool silen
       lock_db_routines(thd, dbnorm))
     goto exit;
 
-  if (!thd->bootstrap && !rm_mysql_schema)
+  if (!rm_mysql_schema)
   {
     for (table= tables; table; table= table->next_local)
     {
diff --git a/sql/sql_table.cc b/sql/sql_table.cc
index a5e55695d02..7348a5a07c1 100644
--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -2098,16 +2098,13 @@ bool mysql_rm_table(THD *thd,TABLE_LIST *tables, bool if_exists,
       }
     }
     /* We remove statistics for table last, after we have the DDL lock */
-    if (!thd->bootstrap)
+    for (table= tables; table; table= table->next_local)
     {
-      for (table= tables; table; table= table->next_local)
-      {
-        LEX_CSTRING db_name= table->db;
-        LEX_CSTRING table_name= table->table_name;
-        if (table->open_type == OT_BASE_ONLY ||
-            !thd->find_temporary_table(table))
-          (void) delete_statistics_for_table(thd, &db_name, &table_name);
-      }
+      LEX_CSTRING db_name= table->db;
+      LEX_CSTRING table_name= table->table_name;
+      if (table->open_type == OT_BASE_ONLY ||
+          !thd->find_temporary_table(table))
+        (void) delete_statistics_for_table(thd, &db_name, &table_name);
     }
   }