On Thu, Jan 23, 2020 at 06:11:37PM -0500, Wayne Sallee wrote: > This is interesting. I'm not sure what to think about this. > > on terminal, as user1 > su - > # Enter root password. > su - user2 > # No password is needed. > mysql > Access denied for user 'user1'@'localhost' (using password: NO)
After your (first) "su -" and your (second) "su - user2", just issue the command "id": this might help understand what's going on (my hunch is that (real) uid and euid are not identical at that point, but I might be wrong, see below). > # Now if I enter: > mysql -u user2 -pmypassword > # It will let me in. I have no idea where the "mysql" command tries to get its default user ID from (probably out of one of the several possible user IDs [1] your shell process has, but Who Knows (TM)?) If you override that (with -u) and prove you have access rights (by providing your password, with -p) it doesn't have to guess. > What surprises me, is that it figures that user1 is wanting access to mysql > instead of user2 > Knowing a previous user, could have security issues. Read [1] below. You have control over the session. You "came from" user1. Why should that be a problem? OTOH perhaps mysql is basing its guess on the environment variable LOGNAME, and "su -" hasn't changed that? It's ages ago I stopped using "su" regularly (convinced by sudo), so I lost track of the finer details of "su" (which have changed recently, AFAIK). Cheers [1] https://en.wikipedia.org/wiki/User_identifier -- tomás
signature.asc
Description: Digital signature
