SantaMufasa
Technical User
"USE <db>" is successful by any user for any database on our MySQL installation. How do I prevent access to one or more databases by a given user?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How do I prohibit user from unwanted "USE <db>"? 1
- Thread starter SantaMufasa
- Start date
- Status
bahwalpuri
IS-IT--Management
Comming back to our problem, it seems to me that in mysql as soon as you create a user, even without any privileges he gets the right to see all the databases. Whenever I only create a user and
#######################
show grants for user@whatever;
#######################
gives me
####################################
GRANT SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES ON *.* TO 'user@whatever;
####################################
And here lies the problem the user can see all the databases as he logs in.
stupid hemmm.
still working on it.
cheers
amir
#######################
show grants for user@whatever;
#######################
gives me
####################################
GRANT SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES ON *.* TO 'user@whatever;
####################################
And here lies the problem the user can see all the databases as he logs in.
stupid hemmm.
still working on it.
cheers
amir
Hi SantaMufasa,
are you sure that "yada" doesn't exist in the "user"-table of "mysql"-database anymore, that is, completely erased?
Has someone made changes to the mysql-db within these hours?
Greetings
--
Smash your head on keyboard to continue...
are you sure that "yada" doesn't exist in the "user"-table of "mysql"-database anymore, that is, completely erased?
Has someone made changes to the mysql-db within these hours?
Greetings
--
Smash your head on keyboard to continue...
- Thread starter
- #23
SantaMufasa
Technical User
MySQL Buddies, My developers are getting frantic about this apparent security gap. To revisit and renew active dialog on this issue, can I ask ANYONE on this forum to respond to a couple of EASY questions:
1) When you CREATE a new user in MySQL, is the new user able to "USE" any and all databases on your installation?
2) Have you found a way to prevent the new user from "USE"-ing any and all databases?
3) If the answers to 1) and 2) are "Yes" and "No", respectively, does this profound security breach worry you?
4) If the answers to 1) and 2) are "No" and "Yes", respectively, can you please share how you made that happen?
BTW, Amir (from two replies above), have you been able to make any progress on your quest to resolve this issue?
Thanks,
Dave
1) When you CREATE a new user in MySQL, is the new user able to "USE" any and all databases on your installation?
2) Have you found a way to prevent the new user from "USE"-ing any and all databases?
3) If the answers to 1) and 2) are "Yes" and "No", respectively, does this profound security breach worry you?
4) If the answers to 1) and 2) are "No" and "Yes", respectively, can you please share how you made that happen?
BTW, Amir (from two replies above), have you been able to make any progress on your quest to resolve this issue?
Thanks,
Dave
One thing to note here is that just because a user can 'USE db_name' doesn't mean they can see any data there. From the info you posted, the user doesn't have SELECT or INSERT privileges on the db, so they can't read or write data into it, nor grant privileges either. I don't see how this can be a major security hole.
- Thread starter
- #25
SantaMufasa
Technical User
StukA, If that is the MySQL security model, then that's what we live with. I'll explain to our developers that they live with a "USE, but don't touch (or see)" regimen.
Thanks for everyone's contributions.
Dave
Thanks for everyone's contributions.
Dave
- Status