re: unprivileged user can create a database

Fri, 18 Oct 2002 03:47:40 -0700 

Max,
Friday, October 18, 2002, 1:32:34 AM, you wrote:

MK> Here is a (stripped) list of steps needed to recreate this problem.

MK> ---------------------------------------------------------------------------
MK> # mysql -u root -p
MK> ......
MK> mysql> CREATE DATABASE `user_db`;
MK> Query OK, 1 row affected (0.00 sec)

MK> mysql> USE mysql;
MK> Reading table information for completion of table and column names
MK> You can turn off this feature to get a quicker startup with -A

MK> mysql> INSERT INTO user (Host, User) VALUES ('localhost', 'user_db_mgr');
MK> Query OK, 1 row affected (0.00 sec)

MK> mysql> INSERT INTO db (Host, User, Db, Create_priv) VALUES ('localhost',
MK> 'user_db_mgr', 'user_db', 'Y');
MK> Query OK, 1 row affected (0.00 sec)

MK> mysql> FLUSH PRIVILEGES;
MK> Query OK, 0 rows affected (0.00 sec)

MK> mysql> \q
MK> Bye

MK> # mysql -u user_db_mgr
MK> ......
MK> mysql> CREATE DATABASE `user?db`;
MK> Query OK, 1 row affected (0.00 sec)
MK> ---------------------------------------------------------------------------

>From the above, you can see that this new unprivileged user was able to
MK> create a database with a specific name.  No other name was found to work.
MK> This user should only be able to create _tables_ in the assigned database,
MK> but it seems that the Create_priv permission somehow extends to allow this
MK> user to create this database as well.

Because you give permission on non exesting database. In this case
user can create database with names like 

user(any symbol)db.


-- 
For technical support contracts, goto https://order.mysql.com/?ref=ma02-010c
This email is sponsored by Ensita.net http://www.ensita.net/
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /    Victoria Reznichenko
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
       <___/   www.mysql.com





---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to