Right, I understand that, but then *why* can a user create another user, with all the priveleges they have, but with now password. That seems like a great security hole. It seems that the GRANT syntax should allow the setting of a password upon account creation without requiring access to the mysql db.
j----- k----- On Saturday 08 January 2005 05:55, Gleb Paharenko said something like: > Hello. > > As said at: > > http://dev.mysql.com/doc/mysql/en/SET_PASSWORD.html > > Only clients with access to mysql database can set passwords for > other accounts. > > "Joshua J. Kugler" <[EMAIL PROTECTED]> wrote: > > I've read the sections on GRANT's and permissions, and done some > > googling, and > > > > still haven't found what I'm looking for. > > > > I have a user that has USAGE and GRANT global privs and all privs and > > GRANT on database rubric. > > > > However, when they try to run this query: > > > > GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON rubric.* TO > > 'user'@'localhost' IDENTIFIED BY 'password'; > > > > They get the error > > > > ERROR 1044: Access denied for user 'user'@'host' to database 'mysql' > > > > They can log in just fine, so it is not a matter of host name. > > > > I found a post that seemed to allude to the fact that a user with GRANT > > could > > > > only create a new user via GRANT if there was not IDENTIFIED BY clause. > > > > (However, a user with write permissions to the mysql database could). I > > > > verified this to be the case when this query, > > > > GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON rubric.* TO > > 'user'@'localhost' > > > > run as the user in question, worked and created the user, albeit with no > > > > password. > > > > Is there a way for a user with GRANT privs to create a user *with* a > > password? -- Joshua J. Kugler -- Fairbanks, Alaska -- ICQ#:13706295 Every knee shall bow, and every tongue confess, in heaven, on earth, and under the earth, that Jesus Christ is LORD -- Count on it! -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
