RE: Possible Bug in mysql 3.23.38
I would like to note that bug reports should only be sent out if you are using the latest version, which now is 3.23.39. --On Friday, June 15, 2001 17:37 -0600 Chris Bolt [EMAIL PROTECTED] wrote: After creating a new database, I ran: update user set password = 'SomeJunk' where user = 'root'; This inserts the string 'SomeJunk' literally into the database, unencrypted. This is SQL expected but the result is a database lockout (not to mention the security breach of having the clear password stored in a file. I got the smart idea to assign a root password like this from the Bugzilla-Guide.txt file that comes with Bugzilla. I just opened Bugzilla-Guide.txt and it says: mysql UPDATE user SET Password=PASSWORD ('new_password') WHERE user='root'; mysql FLUSH PRIVILEGES; note the PASSWORD('new_password') instead of just 'new_password' If there is a better way to assign passwords, please let me know. I tried grant all on mysql.* to foo identified by bar; Seems to work for creating new accounts. Try GRANT ALL PRIVILEGES ON table.* TO user@localhost IDENTIFIED BY 'password'; Since in most cases (web server and mysql on same box) you don't need to allow users to connect from anywhere. If you want to include a hostname or wildcard, put it in '' (like '%.host.com' or just '%') Also, the user table looks like: mysql select host, user, password from user; +---+-+--+ | host | user | password | +---+-+--+ | localhost | root| 7d30d6e5796d165e | | nomis | root| 7d30d6e5796d165e | | localhost | | | | nomis | | | | localhost | ShimonR | 7d30d6e5796d165e | +---+-+--+ 5 rows in set (0.00 sec) Does this mean that any user from localhost or from nomis can connect? Don't know, but unless they have corresponding rows in another table to actually give them privileges, they can't do anything. I don't have rows like that in my user table so they should be safe to delete. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php -- William M. Quarles Vice Pres, Society of Physics Students Jr. Warden, Canterbury Episcopal Campus Ministry James Madison University [EMAIL PROTECTED] * This e-mail was sent using Mulberry, JMU's new official e-mail client. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Possible Bug in mysql 3.23.38
PLEASE read the manual. you need to set password = password('SomeJunk') And the bug report form can be obtained by running mysqlbug, the instructions for which are also found in the manual. Thank you. j- k- On Friday 15 June 2001 13:08, Simon Shapiro wrote: Could not find a bug report form. So I am telling y'll... Platform: FreeBSD 4.3 (I do not think it matters) After creating a new database, I ran: update user set password = 'SomeJunk' where user = 'root'; This inserts the string 'SomeJunk' literally into the database, unencrypted. This is SQL expected but the result is a database lockout (not to mention the security breach of having the clear password stored in a file. I got the smart idea to assign a root password like this from the Bugzilla-Guide.txt file that comes with Bugzilla. If there is a better way to assign passwords, please let me know. I tried grant all on mysql.* to foo identified by bar; Seems to work for creating new accounts. Also, the user table looks like: mysql select host, user, password from user; +---+-+--+ | host | user | password | +---+-+--+ | localhost | root| 7d30d6e5796d165e | | nomis | root| 7d30d6e5796d165e | | localhost | | | | nomis | | | | localhost | ShimonR | 7d30d6e5796d165e | +---+-+--+ 5 rows in set (0.00 sec) Does this mean that any user from localhost or from nomis can connect? Otherwise, this is really nice (my first first hand encounter with mysql). -- Joshua Kugler, Information Services Director Associated Students of the University of Alaska Fairbanks [EMAIL PROTECTED], 907-474-7601 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: Possible Bug in mysql 3.23.38
After creating a new database, I ran: update user set password = 'SomeJunk' where user = 'root'; This inserts the string 'SomeJunk' literally into the database, unencrypted. This is SQL expected but the result is a database lockout (not to mention the security breach of having the clear password stored in a file. I got the smart idea to assign a root password like this from the Bugzilla-Guide.txt file that comes with Bugzilla. I just opened Bugzilla-Guide.txt and it says: mysql UPDATE user SET Password=PASSWORD ('new_password') WHERE user='root'; mysql FLUSH PRIVILEGES; note the PASSWORD('new_password') instead of just 'new_password' If there is a better way to assign passwords, please let me know. I tried grant all on mysql.* to foo identified by bar; Seems to work for creating new accounts. Try GRANT ALL PRIVILEGES ON table.* TO user@localhost IDENTIFIED BY 'password'; Since in most cases (web server and mysql on same box) you don't need to allow users to connect from anywhere. If you want to include a hostname or wildcard, put it in '' (like '%.host.com' or just '%') Also, the user table looks like: mysql select host, user, password from user; +---+-+--+ | host | user | password | +---+-+--+ | localhost | root| 7d30d6e5796d165e | | nomis | root| 7d30d6e5796d165e | | localhost | | | | nomis | | | | localhost | ShimonR | 7d30d6e5796d165e | +---+-+--+ 5 rows in set (0.00 sec) Does this mean that any user from localhost or from nomis can connect? Don't know, but unless they have corresponding rows in another table to actually give them privileges, they can't do anything. I don't have rows like that in my user table so they should be safe to delete. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Possible Bug in mysql 3.23.38
Hello Simon. On Fri, Jun 15, 2001 at 05:08:18PM -0400, [EMAIL PROTECTED] wrote: Could not find a bug report form. So I am telling y'll... Platform: FreeBSD 4.3 (I do not think it matters) After creating a new database, I ran: update user set password = 'SomeJunk' where user = 'root'; This inserts the string 'SomeJunk' literally into the database, unencrypted. This is SQL expected but the result is a database lockout (not to mention the security breach of having the clear password stored in a file. As you say yourself, this is expected behaviour. Only because a certain statement could be used in a false way, MySQL should not break the SQL standard. Btw, which behaviour would you suggest? I got the smart idea to assign a root password like this from the Bugzilla-Guide.txt file that comes with Bugzilla. Tips for resetting the root password can be found here: http://www.mysql.com/doc/R/e/Resetting_permissions.html but I assume you already did that, because you are quoting the user table below. If there is a better way to assign passwords, please let me know. With setting password in the search form of the mysql online manual I found as second suggestion: 6.15 Setting Up Passwords: http://www.mysql.com/doc/P/a/Passwords.html mysql select host, user, password from user; +---+-+--+ | host | user| password | +---+-+--+ | localhost | root| 7d30d6e5796d165e | | nomis | root| 7d30d6e5796d165e | I would strongly suggest to refrain from posting passwords publically (encrypted or not), except if you are using test passwords which you will change soon again. | localhost | | | | nomis | | | | localhost | ShimonR | 7d30d6e5796d165e | +---+-+--+ 5 rows in set (0.00 sec) Does this mean that any user from localhost or from nomis can connect? Yes. Bye, Benjamin. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php