Hi, On Dec 10, 2007 4:51 PM, Garris, Nicole <[EMAIL PROTECTED]> wrote: > I'm a new MySQL DBA taking over admin duties for an existing MySQL > nonclustered 4.1 installation. It has 6 small user databases. So in the > mysql database, I run the query > > Select host, user, password from user; > > Which returns the following: > > > > +---------------------+-----------------+------------------------------- > ------------+ > > | host | user | password > | > > +---------------------+-----------------+------------------------------- > ------------+ > > | localhost | root | (long hex string) > | > > | localhost network name | root | > | > > | localhost network name | | > | > > | localhost | | (long hex string) > | > > | localhost | one_user | (long hex string) > | > > | % | one_user | (long hex string) > | > > | % | root | (long hex string) > | > > | localhost | two_user | (long hex string) > | > > | IP address x | one_user | (long hex string) > | > > | IP address y | one_user | > | > > +---------------------+-----------------+------------------------------- > ------------+ > > > > Does this mean that: > > 1. Line 2 above: root can log in with a blank password from (localhost > network name)? > > 2. Line 3 above: A blank user/password can be used to log in from > (localhost network name)? > > 3. Line 4 above: A blank user can be used to log in from localhost, but > a password has been specified? > > 4. Line 10 above: User "one-user" can be used to log in from IP address > y with a blank password?
Blank password means "no password." Blank username means "anonymous user." I would get rid of the anonymous users, whose permissions can invisibly attach themselves to every user (though they will never show up in SHOW GRANTS), and definitely set passwords for everyone. It looks like you're running an installation with default privileges. I'd also look into mysql.host and delete anything that doesn't look like it's specific to your installation. (There is rarely/never a reason for an entry in this table anyway.) -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
