[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] mysql bug which gives users access to create databases etc.

Subject: Re: [cobalt-users] mysql bug which gives users access to create databases etc.
From: Alex Krohn <alex@xxxxxxxxxxxxxxxxxxxx>
Date: Mon Sep 23 17:42:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hi Kim,

> Can anyone else verify this. 
> I came across a bug in Mysql 
> $mysql -V
> mysql  Ver 11.15 Distrib 3.23.37, for pc-linux-gnu (i686)
> 
> if a user has an _ (underscore) in their username, then this user can
> modify (add,delete, select etc) i all databases where the username is
> the same as the user with the _ (it works as a wildcard).
> 
> eg. user site_2 can access his own database db_2 but he can also access
> user site22's database db22. 
> if the database doesnt exist, then the user can create it (both as
> user_2 and as any other userX2 - where X can be anything).
> 
> Is this bug known and does it only apply to the Raq version of MySQL? 

Just a quick follow up, you can get it to work without wildcards if you don't
use GRANT syntax, but insert the information with the underscore escaped
directly to mysql.user and mysql.db tables. You can find some sketchy docs
about the wildcarding here:

    http://www.mysql.com/doc/en/GRANT.html

Cheers,

Alex

--
Alex Krohn
alex@xxxxxxxxxxxxxxxxxxxx
http://gossamer-threads.com/cobalt/

References:
- [cobalt-users] mysql bug which gives users access to create databases etc.
  - From: Kim Schulz

Prev by Date: Re: [cobalt-users] mysql bug which gives users access to create databases etc.
Next by Date: Re: [cobalt-users] now CPU Temperature
Previous by thread: Re: [cobalt-users] mysql bug which gives users access to create databases etc.
Next by thread: [cobalt-users] Usermin and Webmin

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index