lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: swolf at x-project.net (Sascha Wolf)
Subject: MySQL and the user "su"

Dear Tom Crimmins,

am Freitag, 31. Dezember 2004 um 17:42 schrieben Sie:

> [snip]
> I have today determined that I can connect to a local MySQL-server per
>  "mysql -usu".  I regard that to error, can that someone confirm?
> [/snip]

> This is not an error. You should by default be able to connect with any user
> from localhost, but you will not have privileges to do anything else. This
> is because the mysql install by default sets up permissions this way. You
> could verify this yourself by connecting as root, and executing the
> following query:

> SELECT * FROM mysql.user;

> The row that applies in this case is the one with Host='localhost' and
> User=''. You can delete this row if you do not want this behavior. You must
> do a "flush privileges;" after deleting the row.

> ---
> Tom Crimmins
> Interface Specialist
> Pottawattamie County, Iowa

Ok one if I the user deletes, I can't no more connection.  But for what MySQL puts
on this user at all, if he is not used?

I think that is a securitybug to be evaluated.

-- 
Mit freundlichen Gr??en
Sascha Wolf
mailto:swolf@...roject.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1294 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041231/888b7de8/smime.bin

Powered by blists - more mailing lists