RE: Possible Bug in mysql 3.23.38

Fri, 15 Jun 2001 17:34:28 -0700 

> After creating a new database, I ran:
>
> update user set password = 'SomeJunk' where user = 'root';
>
> This inserts the string 'SomeJunk' literally into the database,
> unencrypted.  This is SQL expected but the result is a database
> lockout (not to mention the security breach of having the clear
> password stored in a file.
>
> I got the smart idea to assign a root password like this from the
> Bugzilla-Guide.txt file that comes with Bugzilla.

I just opened Bugzilla-Guide.txt and it says:

mysql> UPDATE user SET Password=PASSWORD ('new_password') WHERE user='root';
mysql> FLUSH PRIVILEGES;

note the PASSWORD('new_password') instead of just 'new_password'

> If there is a better way to assign passwords, please let me know.
>
> I tried
>
> grant all on mysql.* to foo identified by bar;
>
> Seems to work for creating new accounts.

Try
GRANT ALL PRIVILEGES ON table.* TO user@localhost IDENTIFIED BY 'password';

Since in most cases (web server and mysql on same box) you don't need to
allow users to connect from anywhere. If you want to include a hostname or
wildcard, put it in '' (like '%.host.com' or just '%')

> Also, the user table looks like:
>
> mysql> select host, user, password from user;
> +-----------+---------+------------------+
>  | host       | user     | password         |
> +-----------+---------+------------------+
> | localhost | root    | 7d30d6e5796d165e |
> | nomis     | root    | 7d30d6e5796d165e |
> | localhost |         |                  |
> | nomis     |         |                  |
> | localhost | ShimonR | 7d30d6e5796d165e |
> +-----------+---------+------------------+
> 5 rows in set (0.00 sec)
>
> Does this mean that any user from localhost or from nomis can connect?

Don't know, but unless they have corresponding rows in another table to
actually give them privileges, they can't do anything.

I don't have rows like that in my user table so they should be safe to
delete.


---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to