Full Disclosure mailing list archives
RE: MySQL and the user "su"
From: Tom Crimmins <fulldis () pottcounty com>
Date: Fri, 31 Dec 2004 13:23:37 -0600
[snip] Ok one if I the user deletes, I can't no more connection. But for what MySQL puts on this user at all, if he is not used? I think that is a securitybug to be evaluated. [/snip] It is not specific to the user "su". Try it with any user ie. "mysql -u arbitrary". It will connect, but you will not have privileges to do anything. It is using the anonymous account on localhost. This is the inteneded behavior. MySQL adds this on purpose. It is not a bug. The anonymous account only exists for users on localhost, and they by default can only connect and do nothing else. As I said in my previous e-mail, if you do not want this behavior delete the row from the user table, but to do this you must connect as a user that has privileges to this table ie. 'mysql -u root'. Please see the following documentation for more information: http://dev.mysql.com/doc/mysql/en/GRANT.html Specifically the following part: "Warning: If you allow anonymous users to connect to the MySQL server, you should also grant privileges to all local users as user_name@localhost. Otherwise, the anonymous-user account for the local host in the mysql.user table will be used when named users try to log in to the MySQL server from the local machine! (This anonymous-user account is created during MySQL installation.)" --- Tom Crimmins Interface Specialist Pottawattamie County, Iowa -----Original Message----- Dear Tom Crimmins, am Freitag, 31. Dezember 2004 um 17:42 schrieben Sie:
[snip] I have today determined that I can connect to a local MySQL-server per "mysql -usu". I regard that to error, can that someone confirm? [/snip]
This is not an error. You should by default be able to connect with any user from localhost, but you will not have privileges to do anything else. This is because the mysql install by default sets up permissions this way. You could verify this yourself by connecting as root, and executing the following query:
SELECT * FROM mysql.user;
The row that applies in this case is the one with Host='localhost' and User=''. You can delete this row if you do not want this behavior. You must do a "flush privileges;" after deleting the row.
--- Tom Crimmins Interface Specialist Pottawattamie County, Iowa
Ok one if I the user deletes, I can't no more connection. But for what MySQL puts on this user at all, if he is not used? I think that is a securitybug to be evaluated. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: MySQL and the user "su" Tom Crimmins (Jan 01)
- <Possible follow-ups>
- RE: MySQL and the user "su" Tom Crimmins (Jan 03)
- MySQL and the user "su" Sascha Wolf (Jan 06)
- Re: MySQL and the user "su" Andrew Farmer (Jan 02)
- Re: MySQL and the user "su" Kristian Koehntopp (Jan 06)
- Re: MySQL and the user "su" Sascha Wolf (Jan 06)