Guardian Digital Inc. > InfoCenter > Mailing List Archives > Full Disclosure

Full Disclosure Mailing List Archive

From: Sascha Wolf (swolf@x-project.net)
Date: Fri Dec 31 2004 - 13:47:02 EST

Dear Tom Crimmins,

am Freitag, 31. Dezember 2004 um 17:42 schrieben Sie:

> [snip]
> I have today determined that I can connect to a local MySQL-server per
> "mysql -usu". I regard that to error, can that someone confirm?
> [/snip]

> This is not an error. You should by default be able to connect with any user
> from localhost, but you will not have privileges to do anything else. This
> is because the mysql install by default sets up permissions this way. You
> could verify this yourself by connecting as root, and executing the
> following query:

> SELECT * FROM mysql.user;

> The row that applies in this case is the one with Host='localhost' and
> User=''. You can delete this row if you do not want this behavior. You must
> do a "flush privileges;" after deleting the row.

> ---
> Tom Crimmins
> Interface Specialist
> Pottawattamie County, Iowa

Ok one if I the user deletes, I can't no more connection. But for what MySQL puts
on this user at all, if he is not used?

I think that is a securitybug to be evaluated.

Mit freundlichen Grüßen
Sascha Wolf

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.