sql-info.de

5. Administration

5.1. Privilege alterations

If a user's privileges are changed, for example using the GRANT and REVOKE commands, the changes only become effective on new connections and do not affect any current sessions owned by that user. In a security-sensitive context it is therefore advisable to ensure users are disconnected before their privileges are altered.

5.2. Anonymous account

By default MySQL creates an anonymous local user, meaning any user on the local machine can create a connection to the database server. In this case current_user() returns the following output:

mysql> SELECT current_user();
+----------------+
| current_user() |
+----------------+
| @localhost     |
+----------------+
1 row in set (0.00 sec)

As a test database is also created, which anonymous users can connect to, the MySQL installation exposed to some risk from local OS users, typically through DoS scenarios (creation of very large tables etc.).

Remove the anonymous user account with:

DELETE FROM mysql.user WHERE User='';
FLUSH PRIVILEGES;

Comments
Running the command "mysql_secure_installation" allows the following to be set:

Set root password?
Remove anonymous users?
Disallow root login remotely?
Remove test database and access to it?
Reload privilege tables now?
Posted by: dentonj | 2007-09-12 05:39