Dear Bjoern, > I have completed a new setup on WinXP, with Mysqld-nt as a service, and > assigned a new password to root. However I am able to connect as root > without password, alter and even drop tables and complete databases with > the tool MySQLFront !!!
After setting up MySQL under Windows, the grant tables have automatically been set up with some basic users. One of them is called "root", a user who can connect from the local box without entering a password. This is done so new users can just play around a little without having to worry about what a "privilege system" is etc. All user account information in MySQL is stored in a database called "mysql". User accounts (with user privileges to the MySQL server) are stored in mysql.user, and if access is limited to certain databases, account information is also stored in mysql.db. You can find detailed information on the MySQL privilege system at http://www.mysql.com/documentation/mysql/bychapter/manual_MySQL_Database_Adm inistration.html#User_Account_Management. You can GRANT and REVOKE privileges like in other SQL DBMS. In MySQL, you can also INSERT, UPDATE and DELETE users through the tables in the mysql database. If you manipulate the mysql tables directly (instead of GRANTing and REVOKEing), you will have to issue FLUSH PRIVILEGES to tell the server to reload the grant tables (and thus, make the access privileges take effect). To make your MySQL server secure, you can do: DELETE FROM mysql.user; DELETE FROM mysql.db; -- This will erase all current users GRANT ALL ON *.* TO 'superuser'@'localhost' IDENTIFIED BY 'secret' WITH GRANT OPTION; FLUSH PRIVILEGES; -- make the changes of the above DELETE take effect Note that 'superuser' can only connect from localhost. If you need other users, you can create new accounts as 'superuser' with GRANT statements like in other SQL DBMS. HTH! -- Stefan Hinz <[EMAIL PROTECTED]> CEO / Geschäftsleitung iConnect GmbH <http://iConnect.de> Heesestr. 6, 12169 Berlin (Germany) Telefon: +49 30 7970948-0 Fax: +49 30 7970948-3 ----- Original Message ----- From: "Bjørn Stave" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, December 08, 2002 11:13 PM Subject: Password protection Hi MySQL I am a new user of your product, and so far everything looks great, except for password protection... I have completed a new setup on WinXP, with Mysqld-nt as a service, and assigned a new password to root. However I am able to connect as root without password, alter and even drop tables and complete databases with the tool MySQLFront !!! If I try to connect using MySQLadmin at the command prompt without password I am rejected as expected. Did I miss out on something important, or is there a commonly known backdoor to the MySQLdb A litle extra info Server: WinXP, MySQL ver. 3.23.49nt (commandprompt rejects acces without pw) Client: WinXP, MySQLFRONT ver. 2.2 from MySQLfront.de (acces without pw granted) Purpose of use: development of a servicemanagement/CRM application as ISV Being a bit worried to continue developing, I look forward to hering from You. Kind regards Bjørn D. W. Stave Expressive.dk --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
