Package: mysql-server Version: 4.0.24-3 Severity: important This is the state the MySQL user database is in after a fresh install.
mysql> select Host, User, Password from user; +-----------+------------------+------------------+ | Host | User | Password | +-----------+------------------+------------------+ | localhost | root | | | ataraxia | root | | | localhost | | | | ataraxia | | | | localhost | debian-sys-maint | 574952o84q75o3r8 | +-----------+------------------+------------------+ 6 rows in set (0.00 sec) I then used phpMyAdmin to create a database and a user which I granted access to the database. As can be seen below, a password has been set for the user. mysql> select Host, User, Password from user where User='bengen'; +------+--------+------------------+ | Host | User | Password | +------+--------+------------------+ | % | bengen | 4655p05o05s11sno | +------+--------+------------------+ 1 row in set (0.00 sec) However, trying to access the database by specifying this user and entering the password, this gives me the following error: [EMAIL PROTECTED]: $ mysql -u bengen bengen -p Enter password: ERROR 1045: Access denied for user: '[EMAIL PROTECTED]' (Using password: YES) I then changed the Host field of my newly created user and tried again: mysql> update user set Host='localhost' where User='bengen'; Query OK, 1 row affected (0.00 sec) Voila! After reloading the privileges, I was granted access to my database. It appears to me as if a host entry with wildcard user was checked before a user entry with a wildcard host. This might make perfect sense, but I fail to see the reason why the two wildcard users are there in the first place. They might not be a security risk, as they don't have any privileges associated with them. But they will surely lead to confusion in cases where the DBA wants to set up username/password pairs as the only means of access control. Please consider removing the two wildcard accounts from the default installation. Thanks, -Hilko -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages mysql-server depends on: ii adduser 3.63 Add and remove users and groups ii debconf 1.4.46 Debian configuration management sy ii gawk 1:3.1.4-2 GNU awk, a pattern scanning and pr ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libdbi-perl 1.46-6 Perl5 database interface by Tim Bu ii libmysqlclient12 4.0.24-3 mysql database client library ii libstdc++5 1:3.3.5-12 The GNU Standard C++ Library v3 ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii mailx 1:8.1.2-0.20040524cvs-4 A simple mail user agent ii mysql-client 4.0.24-3 mysql database client binaries ii mysql-common 4.0.24-3 mysql database common files (e.g. ii passwd 1:4.0.3-31sarge1 change and administer password and ii perl 5.8.4-8 Larry Wall's Practical Extraction ii psmisc 21.6-1 Utilities that use the proc filesy ii zlib1g 1:1.2.2-4 compression library - runtime -- debconf information: mysql-server/really_downgrade_from_41: false mysql-server/start_on_boot: true mysql-server/postrm_remove_databases: false * mysql-server/mysql_install_db_notes: mysql-server/nis_warning: mysql-server/mysql_update_hints1: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
