Shawn, Thanks again for responding :o)
All understood, it seems to me though that this is achieved when you create the user by specifying where the specific user can login from. So granting permissions to user@'%' means from anywhere while [EMAIL PROTECTED] means only when they access from that server. I guess that could be easily spoofed though. In any event, thanks for a thorough answer, at least I know the behavior is truly by design. Jeff > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 12, 2005 09:53 > To: Jeff > Cc: mysql@lists.mysql.com > Subject: Re: Database user Permissions > > > "Jeff" <[EMAIL PROTECTED]> wrote on 10/12/2005 08:43:16 AM: > > > Just rebuilt one of my servers and when setting up MySQL > again an old > > problem I'd had and worked around came up again. > > > > Why is it that if I grant a user@'%' permissions, that user > can access > > the database from any other machine on the network, but > that same user > > logon accessing the db from the local system, fails until I actually > > create another grant record for [EMAIL PROTECTED] > > > > It's not a huge problem but I'd like to understand it better. > > > > Thanks, > > > > Jeff > > > http://dev.mysql.com/doc/mysql/en/adding-users.html The security system wisely treats local users and remote users differently. For a truly secure server, someone must be physically at the machine in order to make a localhost login attempt. This presumes that some level of physical security also protects that machine. If an administrator had only one account, it wouldn't make a difference from where they logged in. That would be a hole in the security plan as you now have exposed admin rights beyond the server's physical security perimeter. Think about it in terms of "James Bond" or "Mission Impossible". They wouldn't need to break into the vault containing the database computer if an administrative account could do what they wanted from outside, would they? With the two-tier system, an administrator could have limited privileges when not physically at the console and full privileges while at the console. Of course, logging in to the server through SSH, telnet, or some other remote terminal software defeats this kind of security check as the user now appears to be at the local terminal. Oh, well. It is not perfect but it is better than nothing at all! Shawn Green Database Administrator Unimin Corporation - Spruce Pine -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
