Re: Database user Permissions

2005-10-12 Thread SGreen 
Jeff [EMAIL PROTECTED] wrote on 10/12/2005 08:43:16 AM:

 Just rebuilt one of my servers and when setting up MySQL again an old
 problem I'd had and worked around came up again.
 
 Why is it that if I grant a user@'%' permissions, that user can access
 the database from any other machine on the network, but that same user
 logon accessing the db from the local system, fails until I actually
 create another grant record for [EMAIL PROTECTED]
 
 It's not a huge problem but I'd like to understand it better.
 
 Thanks,
 
 Jeff
 

http://dev.mysql.com/doc/mysql/en/adding-users.html

The security system wisely treats local users and remote users 
differently. For a truly secure server, someone must be physically at the 
machine in order to make a localhost login attempt. This presumes that 
some level of physical security also protects that machine. If an 
administrator had only one account, it wouldn't make a difference from 
where they logged in. That would be a hole in the security plan as you now 
have exposed admin rights beyond the server's physical security perimeter.

Think about it in terms of James Bond or Mission Impossible. They 
wouldn't need to break into the vault containing the database computer if 
an administrative account could do what they wanted from outside, would 
they?  With the two-tier system, an administrator could have limited 
privileges when not physically at the console and full privileges while at 
the console. 

Of course, logging in to the server through SSH, telnet, or some other 
remote terminal software defeats this kind of security check as the user 
now appears to be at the local terminal. Oh, well. It is not perfect but 
it is better than nothing at all!

Shawn Green
Database Administrator
Unimin Corporation - Spruce Pine

RE: Database user Permissions

2005-10-12 Thread Jeff 
Shawn,

Thanks again for responding :o)

All understood, it seems to me though that this is achieved when you
create the user by specifying where the specific user can login from.

So granting permissions to user@'%' means from anywhere while
[EMAIL PROTECTED] means only when they access from that server.  I guess
that could be easily spoofed though.

In any event, thanks for a thorough answer, at least I know the behavior
is truly by design.

Jeff
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, October 12, 2005 09:53
 To: Jeff
 Cc: mysql@lists.mysql.com
 Subject: Re: Database user Permissions
 
 
 Jeff [EMAIL PROTECTED] wrote on 10/12/2005 08:43:16 AM:
 
  Just rebuilt one of my servers and when setting up MySQL 
 again an old
  problem I'd had and worked around came up again.
  
  Why is it that if I grant a user@'%' permissions, that user 
 can access
  the database from any other machine on the network, but 
 that same user
  logon accessing the db from the local system, fails until I actually
  create another grant record for [EMAIL PROTECTED]
  
  It's not a huge problem but I'd like to understand it better.
  
  Thanks,
  
  Jeff
  
 
http://dev.mysql.com/doc/mysql/en/adding-users.html

The security system wisely treats local users and remote users 
differently. For a truly secure server, someone must be physically at
the 
machine in order to make a localhost login attempt. This presumes that 
some level of physical security also protects that machine. If an 
administrator had only one account, it wouldn't make a difference from 
where they logged in. That would be a hole in the security plan as you
now 
have exposed admin rights beyond the server's physical security
perimeter.

Think about it in terms of James Bond or Mission Impossible. They 
wouldn't need to break into the vault containing the database computer
if 
an administrative account could do what they wanted from outside, would 
they?  With the two-tier system, an administrator could have limited 
privileges when not physically at the console and full privileges while
at 
the console. 

Of course, logging in to the server through SSH, telnet, or some other 
remote terminal software defeats this kind of security check as the user

now appears to be at the local terminal. Oh, well. It is not perfect but

it is better than nothing at all!

Shawn Green
Database Administrator
Unimin Corporation - Spruce Pine



-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]