patternsqlMinor
Is this a normal set of MySQL privileges?
Viewed 0 times
thisprivilegesnormalmysqlset
Problem
Using phpmyadmin on a local test wamp setup, and well as pretty much the title states, there are 3 users marked as user = ANY, password = NO, such as:
None of the 3 any users have any specific privileges for any tables, so it appears they can't do much. Is this some sort of generic security measure, to explicitly state that 'Any' user that doesn't fall into any other user group has no privileges?
USER | HOST | Password | Global Priv | Grant
-----+---------+----------+-------------+------
Any | % | No | USAGE | No
Any | Local | No | USAGE | No
Any | Domain | No | USAGE | No
-----+---------+----------+-------------+------None of the 3 any users have any specific privileges for any tables, so it appears they can't do much. Is this some sort of generic security measure, to explicitly state that 'Any' user that doesn't fall into any other user group has no privileges?
Solution
In reality, those three user accounts are actually quite dangerous. They pose a very great threat to test databases.
Unfortunately, mysql comes with full access to test databases. How can you find them ?
Run this query:
Upon installation of mysql, you will see two rows that give full access to any database named 'test' or whose first 5 characters are 'test_'.
Why is this a problem ???
Try running this command:
You will have connected the test database without a password.
Now, create a table and load it with a row:
OK, big deal. Could you double this table in size 30 times ???
What do you get ?? A table with 1,073,741,824 rows. Easily, 4GB+.
Imagine creating any table of any size. How about creating a bunch of tables in the test database and freely accessing them at will ?
The best thing you can do under these circumstances is to run this query:
and restart mysql. Then, those three accounts will be properly rendered inoperative.
Give it a Try !!!
UPDATE 2011-09-12 10:00 EDT
This delete:
is just what you need for an initial installation. However, if you have users already established, You can run this instead:
This will remove the specific two DB permissions.
As I mentioned in my answer, the three permissions are very dangerous for test databases. Running this DELETE will neutralize those accounts for having full rights to test databases.
Unfortunately, mysql comes with full access to test databases. How can you find them ?
Run this query:
SELECT user,host,db from mysql.db;Upon installation of mysql, you will see two rows that give full access to any database named 'test' or whose first 5 characters are 'test_'.
Why is this a problem ???
Try running this command:
$ mysql -u'' -DtestYou will have connected the test database without a password.
Now, create a table and load it with a row:
CREATE TABLE mytable (a int);
INSERT INTO mytable VALUES (1);OK, big deal. Could you double this table in size 30 times ???
INSERT INTO mytable SELECT * FROM mytable;
INSERT INTO mytable SELECT * FROM mytable;
... (30 times)
INSERT INTO mytable SELECT * FROM mytable;What do you get ?? A table with 1,073,741,824 rows. Easily, 4GB+.
Imagine creating any table of any size. How about creating a bunch of tables in the test database and freely accessing them at will ?
The best thing you can do under these circumstances is to run this query:
DELETE FROM mysql.db;and restart mysql. Then, those three accounts will be properly rendered inoperative.
Give it a Try !!!
UPDATE 2011-09-12 10:00 EDT
This delete:
DELETE FROM mysql.db;
FLUSH PRIVILEGES;is just what you need for an initial installation. However, if you have users already established, You can run this instead:
DELETE FROM mysql.db WHERE db IN ('test','test_%');
FLUSH PRIVILEGES;This will remove the specific two DB permissions.
As I mentioned in my answer, the three permissions are very dangerous for test databases. Running this DELETE will neutralize those accounts for having full rights to test databases.
Code Snippets
SELECT user,host,db from mysql.db;$ mysql -u'' -DtestCREATE TABLE mytable (a int);
INSERT INTO mytable VALUES (1);INSERT INTO mytable SELECT * FROM mytable;
INSERT INTO mytable SELECT * FROM mytable;
... (30 times)
INSERT INTO mytable SELECT * FROM mytable;DELETE FROM mysql.db;Context
StackExchange Database Administrators Q#5620, answer score: 6
Revisions (0)
No revisions yet.