Table Name as UserName with a Blank Password
I recently stumbled onto the ability to log into a mysql server from the command line with any table name, and a blank password. ie: mysql -u mysql My root account has a password set, and a few users with limited access but I haven't done much else as far security goes. I've tried this on a 3.23 and 4.0 mysql server running on RedHat and FreeBSD. Is there a setting I need to change to stop this? Thanks in advance, Dan Ullom
Re: Table Name as UserName with a Blank Password
Hi Dan, By default 2 anonymous user accounts are setup in the mysql database. You will have to delete them first. you should find that you can login with any name (except the specified ones) without password. This will probably allow you to view the databases f.e. with SHOW DATABASES;, but you shouldnt be able to insert, update or delete anything. Anyway to view your user name to this: mysql SELECT user(); It will show you as what you are logged in (username and host). Use mysql SELECT current_user(); to see which mysql privilege account you are currently using. http://www.mysql.com/doc/en/Miscellaneous_functions.html You will have to delete the annonymous user accounts like this: mysql use mysql; mysql DELETE FROM mysql.user WHERE User=''; mysql FLUSH PRIVILEGES; Than you will be fine and you should be able to log in with any anonymous user accounts. ;-) Best regards Nils Valentin Tokyo/Japan 2003 7 3 06:18Dan Ullom : I recently stumbled onto the ability to log into a mysql server from the command line with any table name, and a blank password. ie: mysql -u mysql My root account has a password set, and a few users with limited access but I haven't done much else as far security goes. I've tried this on a 3.23 and 4.0 mysql server running on RedHat and FreeBSD. Is there a setting I need to change to stop this? Thanks in advance, Dan Ullom -- --- Valentin Nils Internet Technology E-Mail: [EMAIL PROTECTED] URL: http://www.knowd.co.jp Personal URL: http://www.knowd.co.jp/staff/nils -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Table Name as UserName with a Blank Password
2003 7 3 11:30Nils Valentin : Hi Dan, By default 2 anonymous user accounts are setup in the mysql database. You will have to delete them first. you should find that you can login with any name (except the specified ones) without password. This will probably allow you to view the databases f.e. with SHOW DATABASES;, but you shouldnt be able to insert, update or delete anything. Anyway to view your user name to this: mysql SELECT user(); It will show you as what you are logged in (username and host). Use mysql SELECT current_user(); to see which mysql privilege account you are currently using. http://www.mysql.com/doc/en/Miscellaneous_functions.html You will have to delete the annonymous user accounts like this: mysql use mysql; mysql DELETE FROM mysql.user WHERE User=''; mysql FLUSH PRIVILEGES; Than you will be fine and you should be able to log in with any anonymous user accounts. ;-) Uups here it should say: Than you will be fine and you should NOT be able to log in with any anonymous user accounts. Must have dropped that ;-) Best regards Nils Valentin Tokyo/Japan 2003 7 3 06:18Dan Ullom : I recently stumbled onto the ability to log into a mysql server from the command line with any table name, and a blank password. ie: mysql -u mysql My root account has a password set, and a few users with limited access but I haven't done much else as far security goes. I've tried this on a 3.23 and 4.0 mysql server running on RedHat and FreeBSD. Is there a setting I need to change to stop this? Thanks in advance, Dan Ullom -- --- Valentin Nils Internet Technology E-Mail: [EMAIL PROTECTED] URL: http://www.knowd.co.jp Personal URL: http://www.knowd.co.jp/staff/nils -- --- Valentin Nils Internet Technology E-Mail: [EMAIL PROTECTED] URL: http://www.knowd.co.jp Personal URL: http://www.knowd.co.jp/staff/nils -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]