Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I prohibit user from unwanted "USE <db>"? 1

Status
Not open for further replies.

SantaMufasa

Technical User
Jul 17, 2003
12,588
US
&quot;USE <db>&quot; is successful by any user for any database on our MySQL installation. How do I prevent access to one or more databases by a given user?
 
Comming back to our problem, it seems to me that in mysql as soon as you create a user, even without any privileges he gets the right to see all the databases. Whenever I only create a user and
#######################
show grants for user@whatever;
#######################

gives me

####################################
GRANT SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES ON *.* TO 'user@whatever;
####################################

And here lies the problem the user can see all the databases as he logs in.

stupid hemmm.

still working on it.

cheers
amir
 
Hi SantaMufasa,

are you sure that &quot;yada&quot; doesn't exist in the &quot;user&quot;-table of &quot;mysql&quot;-database anymore, that is, completely erased?

Has someone made changes to the mysql-db within these hours?

Greetings

--
Smash your head on keyboard to continue...
 
MySQL Buddies, My developers are getting frantic about this apparent security gap. To revisit and renew active dialog on this issue, can I ask ANYONE on this forum to respond to a couple of EASY questions:

1) When you CREATE a new user in MySQL, is the new user able to &quot;USE&quot; any and all databases on your installation?
2) Have you found a way to prevent the new user from &quot;USE&quot;-ing any and all databases?
3) If the answers to 1) and 2) are &quot;Yes&quot; and &quot;No&quot;, respectively, does this profound security breach worry you?
4) If the answers to 1) and 2) are &quot;No&quot; and &quot;Yes&quot;, respectively, can you please share how you made that happen?

BTW, Amir (from two replies above), have you been able to make any progress on your quest to resolve this issue?

Thanks,

Dave
 
One thing to note here is that just because a user can 'USE db_name' doesn't mean they can see any data there. From the info you posted, the user doesn't have SELECT or INSERT privileges on the db, so they can't read or write data into it, nor grant privileges either. I don't see how this can be a major security hole.
 
StukA, If that is the MySQL security model, then that's what we live with. I'll explain to our developers that they live with a &quot;USE, but don't touch (or see)&quot; regimen.

Thanks for everyone's contributions.

Dave
 
My version (4.0.12) has a field called Show_db_priv in the user table of the MySQL database
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top