On Wed, 15 Sep 2004 17:10:27 +0200, Marten Lehmann <[EMAIL PROTECTED]> wrote: > imagine the following setup: > > - a mysql-server > - a client on a different host > > Privileges on the mysql-server are setup in a manner, that users can > connect from every host, but not from localhost (and they don't even > have access to localhost). root on the other hand is allowed to connect > from localhost only, but without giving him a password. Is this a > security problem? Is there any way to trick the mysql-server, so that a > remote-client can claim to be a localhost-client and thus can connect as > mysql-user root?
Why not just set the permissions correctly with no 'tricks' ? You can lock down MySQL to exactly who needs access from exactly which hosts with (or without) passwords, even the tables and databases to be accessed can be restricted: http://dev.mysql.com/doc/mysql/en/GRANT.html I would never allow anyone except myself to connect to my MySQL server as the root MySQL user. I usually don't even do it myself. I make a new 'root' user named something else besides root, and I add seperate users and permissions for each database. Unless it's a dev server behind a firewall or something like that I tend to be pretty restrictive. -- Greg Donald http://gdconsultants.com/ http://destiney.com/ -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
