Mark, Thanks for your note. I did read this page in the manual, especially this paragraph.
<< The default privileges on Windows give all local users full privileges to all databases without specifying a password. To make MySQL more secure, you should set a password for all users and remove the row in the mysql.user table that has Host='localhost' and User=''. You should also add a password for the root user. The following example starts by removing the anonymous user that has all privileges, then sets a root user password: C:\> C:\mysql\bin\mysql mysql mysql> DELETE FROM user WHERE Host='localhost' AND User=''; mysql> QUIT C:\> C:\mysql\bin\mysqladmin reload C:\> C:\mysql\bin\mysqladmin -u root password your_password >> In my example, you will see that I did DELETE FROM user to remove all rows where username is blank. However, I did not reload the service. When I did, it now looks like the correct behavior is happening. -ms -----Original Message----- From: Mark Matthews [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 5:53 AM To: Michael Shulman Cc: [EMAIL PROTECTED] Subject: Re: Problem with permissions on Windows in 4.0.11a Gamma? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Shulman wrote: > Hello, all: > > It seems that the 4.0.11a Gamma release on Windows allows all users to > connect, even though they don't have connect permissions in the user table. > Could this be right? > > I'm running on WinXP. I apologize - I'm new to MySQL, so please let me know > if I am reading the documentation incorrectly. > http://www.mysql.com/doc/en/Privileges.html > > Comment lines are preceded by // in this example > > // connect to MySQL without providing a username or password > C:\mysql\bin>mysql > Welcome to the MySQL monitor. Commands end with ; or \g. > Your MySQL connection id is 25 to server version: 4.0.11-gamma-nt > > Type 'help;' or '\h' for help. Type '\c' to clear the buffer. > > // note that MySQL does not know who we are > mysql> select current_user(); > +----------------+ > | current_user() | > +----------------+ > | @127.0.0.1 | > +----------------+ > 1 row in set (0.00 sec) > > mysql> use mysql; > Database changed > > // verify that the user table is completely locked down > mysql> select user, host from user; > +------+-----------+ > | user | host | > +------+-----------+ > | root | localhost | > +------+-----------+ > 1 row in set (0.00 sec) > > // we're not an authenticated user, but we can create tables > mysql> create table a (a char(10)); > Query OK, 0 rows affected (0.03 sec) > > // we can insert into these tables > mysql> insert into a values ("abc"); > Query OK, 1 row affected (0.00 sec) > > mysql> select * from a; > +------+ > | a | > +------+ > | abc | > +------+ > 1 row in set (0.00 sec) > > // we can even create new users > mysql> insert into user (user, host) values ("fred", "foo"); > Query OK, 1 row affected (0.00 sec) > > mysql> select user, host from user; > +------+-----------+ > | user | host | > +------+-----------+ > | fred | foo | > | root | localhost | > +------+-----------+ > 2 rows in set (0.00 sec) > > > Am I doing something wrong, or is this a nasty bug? > -ms > Michael Shulman It's by design, and it is only for local users. See http://www.mysql.com/doc/en/Windows_running.html -Mark - -- MySQL 2003 Users Conference -> http://www.mysql.com/events/uc2003/ For technical support contracts, visit https://order.mysql.com/?ref=mmma __ ___ ___ ____ __ / |/ /_ __/ __/ __ \/ / Mark Matthews <[EMAIL PROTECTED]> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer - JDBC/Java /_/ /_/\_, /___/\___\_\___/ Flossmoor (Chicago), IL USA <___/ www.mysql.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.1.90 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+dySrtvXNTca6JD8RAsvlAJ9EcfpMuPg5gsP3hKziagOnpS0urwCgl9ZK pLeETxvpAaxsH6wt/lCwaQM= =YoM3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php