OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Blank users/passwords

From: Russell E Glaue (rglauecait.org)
Date: Mon Dec 10 2007 - 16:14:39 CST

Garris, Nicole wrote:
> I'm a new MySQL DBA taking over admin duties for an existing MySQL
> nonclustered 4.1 installation. It has 6 small user databases. So in the
> mysql database, I run the query
>
> Select host, user, password from user;
>
> Which returns the following:
>
>
>
> +---------------------+-----------------+-------------------------------
> ------------+
>
> | host | user | password
> |
>
> +---------------------+-----------------+-------------------------------
> ------------+
>
> | localhost | root | (long hex string)
> |
>
> | localhost network name | root |
> |
>
> | localhost network name | |
> |
>
> | localhost | | (long hex string)
> |
>
> | localhost | one_user | (long hex string)
> |
>
> | % | one_user | (long hex string)
> |
>
> | % | root | (long hex string)
> |
>
> | localhost | two_user | (long hex string)
> |
>
> | IP address x | one_user | (long hex string)
> |
>
> | IP address y | one_user |
> |
>
> +---------------------+-----------------+-------------------------------
> ------------+
>
>
>
> Does this mean that:
>
> 1. Line 2 above: root can log in with a blank password from (localhost
> network name)?
yes
>
> 2. Line 3 above: A blank user/password can be used to log in from
> (localhost network name)?
yes
>
> 3. Line 4 above: A blank user can be used to log in from localhost, but
> a password has been specified?
I believe mysql requires a username when a password is supplied
But in logic that does not follow rules ;-) ... yes
>
> 4. Line 10 above: User "one-user" can be used to log in from IP address
> y with a blank password?
yes
>
>
>
> Or am I reading this incorrectly?
>
>

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql