Re: [SECURITY] How do these blank passwords get into mysql.user?

Tue, 19 Feb 2002 07:27:55 -0800 


Philip,

you should explicitly specify host/password in the GRANT statement, like
this:

GRANT ALL ON xxx.* TO user@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;

This way the user will only granted access from the specified host, you
don't need to manually INSERT into the user table.  (You'll also get rid
of the empty passwords.)

Peter

On Tue, 19 Feb 2002, Philip Mak wrote:

> One thing's been bothering me for a while: When I create a user and
> database in MySQL, the user always ends up with an extra entry with
> host='%' and password=''. How is this happening? This is how I create
> a new database and user:
>
> mysql> create database xxx;
> Query OK, 1 row affected (0.01 sec)
>
> mysql> insert into user set host='localhost', user='xxx', password=password('yyy');
> Query OK, 1 row affected (0.03 sec)
>
> mysql> flush privileges;
> Query OK, 0 rows affected (0.00 sec)
>
> mysql> grant all privileges on xxx to xxx;
> Query OK, 0 rows affected (0.03 sec)
>
> mysql> grant all privileges on xxx.* to xxx;
> Query OK, 0 rows affected (0.00 sec)
>
> mysql> flush privileges;
> Query OK, 0 rows affected (0.00 sec)
>
> mysql> select host,user,password from user where user='xxx';
> +-----------+------+------------------+
> | host      | user | password         |
> +-----------+------+------------------+
> | %         | xxx  |                  |
> | localhost | xxx  | 66debff13dff1053 |
> +-----------+------+------------------+
> 2 rows in set (0.00 sec)
>
> What did I do wrong to cause these users with blank passwords to be
> created (essentially opening me wide to the outside)? My MySQL version
> is 3.23.47. It's worked fine after I delete the extra row in the user
> table manually, but this could be dangerous to someone who doesn't
> notice it!
>

-- 
GPG ID  D40940EC
    FPR 89CC E331 FFD0 3138 9CB2  FE0D 122E 9EC9 D409 40EC



---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to