patternsqlMinor
MySQL user with empty hostname
Viewed 0 times
withuseremptymysqlhostname
Problem
On a MySQL 5.6 server, the
mysql.user table contains an user with an empty hostname ('jdoe'@''). What does that mean?Solution
User whose name is joe can connect from any host.
Please note what MySQL 5.0 Certification Study Guide
say in its bulletpoints on Page 498 Paragraph 6:
On Unix, MySQL comes with a mysql_secure_installation script that can
perform several helpful security-related operations on your
installation. The script has the following capabilities:
it prevents the possibility of anyone connecting to the MySQL server
as root from a remote host. The results is that anyone who wants to
connect as root must first be able to log in on the server host, which
provides an additional barrier against attack.
might also want to remove the test database to which they have
access).
That user needs to be removed immediately.
Simply run
GIVE IT A TRY !!!
UPDATE 2017-02-01 17:07 EST
According to the MySQL Documentation on Access Control, Stage 2: Request Verification
A '%' or blank Host value means “any host.”
This is applicable at all levels of grants.
Please note what MySQL 5.0 Certification Study Guide
say in its bulletpoints on Page 498 Paragraph 6:
On Unix, MySQL comes with a mysql_secure_installation script that can
perform several helpful security-related operations on your
installation. The script has the following capabilities:
- Set a password for the root accounts
- Remove any remotely accessible root accounts.
- Remove the anonymous user accounts. This improves security because
it prevents the possibility of anyone connecting to the MySQL server
as root from a remote host. The results is that anyone who wants to
connect as root must first be able to log in on the server host, which
provides an additional barrier against attack.
- Remove the test database (If you remove the anonymous accounts, you
might also want to remove the test database to which they have
access).
That user needs to be removed immediately.
Simply run
DELETE FROM mysql.user WHERE host='';
FLUSH PRIVILEGES;GIVE IT A TRY !!!
UPDATE 2017-02-01 17:07 EST
According to the MySQL Documentation on Access Control, Stage 2: Request Verification
A '%' or blank Host value means “any host.”
This is applicable at all levels of grants.
Code Snippets
DELETE FROM mysql.user WHERE host='';
FLUSH PRIVILEGES;Context
StackExchange Database Administrators Q#162333, answer score: 6
Revisions (0)
No revisions yet.