At 9:54 -0600 9/2/04, Mark C. Stafford wrote:
Should I care that USAGE still shows up after all rights have been
revoked? It feels like a potential security hole...
USAGE *means* "no privileges", that's why it shows up when all privs
have been revoked.
It does mean that the account can be used to connect to the server.
If you don't want that, either delete the record in the user table
and FLUSH PRIVILEGES, or if you have MySQL 4.1.1 or later, you can
use DROP USER.
-- working around the system to ensure a clean environment
-- i feel like i shouldn't have to do this...but want to start with a
clean slate
DELETE FROM mysql.user WHERE user = 'jdoe';
DELETE FROM mysql.columns_priv WHERE user = 'jdoe';
DELETE FROM mysql.tables_priv WHERE user = 'jdoe';
DELETE FROM mysql.db WHERE user = 'jdoe';
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'jdoe'@'192.168.%';
/*
[localhost -- root] ERROR 1141: There is no such grant defined for
user 'jdoe' on host '192.168.%'
*/
-- simulating new user
GRANT SELECT ON test.* TO 'jdoe'@'192.168.%' IDENTIFIED BY 'still-got-usage';
GRANT INSERT ON test.* TO 'jdoe'@'192.168.%';
GRANT UPDATE ON test.* TO 'jdoe'@'192.168.%';
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'jdoe'@'192.168.%';
/*
+------------------------------------------------------------------------------------+
| Grants for [EMAIL PROTECTED]
|
+------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'jdoe'@'192.168.%' IDENTIFIED BY PASSWORD
'4a8930bb6abf3967' |
| GRANT SELECT, INSERT ON `test`.* TO 'jdoe'@'192.168.%'
|
+------------------------------------------------------------------------------------+
*/
-- simulating user's departure from organization
REVOKE SELECT ON test.* FROM 'jdoe'@'192.168.%';
REVOKE INSERT ON test.* FROM 'jdoe'@'192.168.%';
REVOKE UPDATE ON test.* FROM 'jdoe'@'192.168.%';
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'jdoe'@'192.168.%';
/*
+------------------------------------------------------------------------------------+
| Grants for [EMAIL PROTECTED]
|
+------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'jdoe'@'192.168.%' IDENTIFIED BY PASSWORD
'4a8930bb6abf3967' |
+------------------------------------------------------------------------------------+
*/
--try it again, sam
REVOKE USAGE ON *.* FROM 'jdoe'@'192.168.%';
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'jdoe'@'192.168.%';
/*
+------------------------------------------------------------------------------------+
| Grants for [EMAIL PROTECTED]
|
+------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'jdoe'@'192.168.%' IDENTIFIED BY PASSWORD
'4a8930bb6abf3967' |
+------------------------------------------------------------------------------------+
*/
--
Paul DuBois, MySQL Documentation Team
Madison, Wisconsin, USA
MySQL AB, www.mysql.com
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
