Rolf Hopkins wrote:
>
> What you have just described means that database permissions have not been
> set up correctly and your ISP has left himself wide open for all kinds of
> attacks and I'm not just talking about attacks on the database itself but
> also attacks on the whole system. Ie access to unix root. DOS, etc
>
> Read the security section of the manual, it will give you some idea of how
> it is done. I would say your ISP is one of these dotcom companies that are
> out for a few quick bucks and don't know what they are really doing.
>
> Cheers
>
> > clay bond wrote:
> >
> > > On Tue, 13 Feb 2001, Donald Korth wrote:
> > >
> > > > The hosting company has given me a user name and passwd . When i log
> into my own site thro' a telnet session i 'm able to view all the databases
> created in the server that includes DBs not created by me . I also did a
> "USE DB" command to connect to a DB that wasn't mine . Also "Show tables"
> faithfully listed all the tables in the DB . I even was able to run a
> "SELECT " on a login table table to list all the user names and passeords
> listed with the company .
> > > > What do i make of it ???? An admin lapse or a inherent limitation of
> MySQL as the support guy makes it out . But the latter is hard to believe.
> > > > Any suggestions on how to make my DB invisible on other Logins ?????
> > > > Any help will be deeply appreciated .
> > >
> > > If your db is anywhere near critical, I would change
> > > to an ISP with a competent DBA, if I were you.
> > >
Go into the mysql db and do the following:
INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Update_priv,
Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,
File_priv, Grant_priv, References_priv, Index_priv, Alter_priv) VALUES
('localhost', 'myuser', PASSWORD('secret'), 'n', 'n', 'n', 'n', 'n', 'n', 'n',
'n', 'n', 'n', 'n', 'n', 'n', 'n');
INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv,
Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Index_priv,
Alter_priv) VALUES ('host', 'mydb', 'myuser', 'y', 'y', 'y', 'y', 'y', 'y', 'y',
'y', 'y', 'y');
Then, mysqladmin reload.
Then, tell someone there to do the following:
mysql mysql -e 'select * from user;'
mysql mysql -e 'select * from db;'
And, ensure all permissions for all users are set according to what you've set
up for myuser on mydb, with exception to their admin account. Tell them to set
the root password, also.
Hope that helps.
Van
--
=========================================================================
Linux rocks!!! http://www.dedserius.com
=========================================================================
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
