Shawn,
Thanks again for responding :o)
All understood, it seems to me though that this is achieved when you
create the user by specifying where the specific user can login from.
So granting permissions to user@'%' means from anywhere while
[EMAIL PROTECTED] means only when they access from that server. I guess
that could be easily spoofed though.
In any event, thanks for a thorough answer, at least I know the behavior
is truly by design.
Jeff
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 12, 2005 09:53
To: Jeff
Cc: mysql@lists.mysql.com
Subject: Re: Database user Permissions
Jeff [EMAIL PROTECTED] wrote on 10/12/2005 08:43:16 AM:
Just rebuilt one of my servers and when setting up MySQL
again an old
problem I'd had and worked around came up again.
Why is it that if I grant a user@'%' permissions, that user
can access
the database from any other machine on the network, but
that same user
logon accessing the db from the local system, fails until I actually
create another grant record for [EMAIL PROTECTED]
It's not a huge problem but I'd like to understand it better.
Thanks,
Jeff
http://dev.mysql.com/doc/mysql/en/adding-users.html
The security system wisely treats local users and remote users
differently. For a truly secure server, someone must be physically at
the
machine in order to make a localhost login attempt. This presumes that
some level of physical security also protects that machine. If an
administrator had only one account, it wouldn't make a difference from
where they logged in. That would be a hole in the security plan as you
now
have exposed admin rights beyond the server's physical security
perimeter.
Think about it in terms of James Bond or Mission Impossible. They
wouldn't need to break into the vault containing the database computer
if
an administrative account could do what they wanted from outside, would
they? With the two-tier system, an administrator could have limited
privileges when not physically at the console and full privileges while
at
the console.
Of course, logging in to the server through SSH, telnet, or some other
remote terminal software defeats this kind of security check as the user
now appears to be at the local terminal. Oh, well. It is not perfect but
it is better than nothing at all!
Shawn Green
Database Administrator
Unimin Corporation - Spruce Pine
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]