Your message dated Sat, 23 Apr 2005 17:02:14 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#301741: fixed in mysql-dfsg-4.1 4.1.11-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Mar 2005 01:30:22 +0000
>From [EMAIL PROTECTED] Sun Mar 27 17:30:22 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail.kamp-dsl.de (dsl-mail.kamp.net) [195.62.99.42]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1DFj5C-0006Za-00; Sun, 27 Mar 2005 17:30:22 -0800
Received: (qmail 12275 invoked by uid 513); 28 Mar 2005 01:30:20 -0000
Received: from 213.146.117.234 by dsl-mail (envelope-from <[EMAIL PROTECTED]>,
uid 89) with qmail-scanner-1.24
(clamdscan: 0.80/609. spamassassin: 2.60.
Clear:RC:1(213.146.117.234):SA:0(-1.6/5.0):.
Processed in 2.036781 secs); 28 Mar 2005 01:30:20 -0000
Received: from hilluzination.de (HELO paranoia) ([EMAIL PROTECTED])
by dsl-mail.kamp.net with SMTP; 28 Mar 2005 01:30:18 -0000
Received: from [192.168.1.254] (helo=localhost.localdomain)
by paranoia with esmtp (Exim 4.34)
id 1DFj55-0000Bq-Sa
for [EMAIL PROTECTED]; Mon, 28 Mar 2005 03:30:16 +0200
Received: from bengen by localhost.localdomain with local (Exim 4.50)
id 1DFj5L-0004aj-5N
for [EMAIL PROTECTED]; Mon, 28 Mar 2005 03:30:31 +0200
From: Hilko Bengen <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: mysql-server: Wildcard accounts lead to unnecessary confusion
X-Debbugs-CC: Hilko Bengen <[EMAIL PROTECTED]>
Date: Mon, 28 Mar 2005 03:30:29 +0200
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: mysql-server
Version: 4.0.24-3
Severity: important
This is the state the MySQL user database is in after a fresh install.
mysql> select Host, User, Password from user;
+-----------+------------------+------------------+
| Host | User | Password |
+-----------+------------------+------------------+
| localhost | root | |
| ataraxia | root | |
| localhost | | |
| ataraxia | | |
| localhost | debian-sys-maint | 574952o84q75o3r8 |
+-----------+------------------+------------------+
6 rows in set (0.00 sec)
I then used phpMyAdmin to create a database and a user which I granted
access to the database. As can be seen below, a password has been set
for the user.
mysql> select Host, User, Password from user where User='bengen';
+------+--------+------------------+
| Host | User | Password |
+------+--------+------------------+
| % | bengen | 4655p05o05s11sno |
+------+--------+------------------+
1 row in set (0.00 sec)
However, trying to access the database by specifying this user and
entering the password, this gives me the following error:
[EMAIL PROTECTED]: $ mysql -u bengen bengen -p
Enter password:
ERROR 1045: Access denied for user: '[EMAIL PROTECTED]' (Using password: YES)
I then changed the Host field of my newly created user and tried
again:
mysql> update user set Host='localhost' where User='bengen';
Query OK, 1 row affected (0.00 sec)
Voila! After reloading the privileges, I was granted access to my
database.
It appears to me as if a host entry with wildcard user was checked
before a user entry with a wildcard host. This might make perfect
sense, but I fail to see the reason why the two wildcard users are
there in the first place.
They might not be a security risk, as they don't have any privileges
associated with them. But they will surely lead to confusion in cases
where the DBA wants to set up username/password pairs as the only
means of access control.
Please consider removing the two wildcard accounts from the default
installation.
Thanks,
-Hilko
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages mysql-server depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.46 Debian configuration management sy
ii gawk 1:3.1.4-2 GNU awk, a pattern scanning and pr
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libdbi-perl 1.46-6 Perl5 database interface by Tim Bu
ii libmysqlclient12 4.0.24-3 mysql database client library
ii libstdc++5 1:3.3.5-12 The GNU Standard C++ Library v3
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii mailx 1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii mysql-client 4.0.24-3 mysql database client binaries
ii mysql-common 4.0.24-3 mysql database common files (e.g.
ii passwd 1:4.0.3-31sarge1 change and administer password and
ii perl 5.8.4-8 Larry Wall's Practical Extraction
ii psmisc 21.6-1 Utilities that use the proc filesy
ii zlib1g 1:1.2.2-4 compression library - runtime
-- debconf information:
mysql-server/really_downgrade_from_41: false
mysql-server/start_on_boot: true
mysql-server/postrm_remove_databases: false
* mysql-server/mysql_install_db_notes:
mysql-server/nis_warning:
mysql-server/mysql_update_hints1:
---------------------------------------
Received: (at 301741-close) by bugs.debian.org; 23 Apr 2005 21:16:03 +0000
>From [EMAIL PROTECTED] Sat Apr 23 14:16:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DPRyt-0007hm-00; Sat, 23 Apr 2005 14:16:03 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DPRlW-0001j4-00; Sat, 23 Apr 2005 17:02:14 -0400
From: Christian Hammers <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#301741: fixed in mysql-dfsg-4.1 4.1.11-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 23 Apr 2005 17:02:14 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: mysql-dfsg-4.1
Source-Version: 4.1.11-2
We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-4.1, which is due to be installed in the Debian FTP archive:
libmysqlclient14-dev_4.1.11-2_i386.deb
to pool/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11-2_i386.deb
libmysqlclient14_4.1.11-2_i386.deb
to pool/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11-2_i386.deb
mysql-client-4.1_4.1.11-2_i386.deb
to pool/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11-2_i386.deb
mysql-common-4.1_4.1.11-2_all.deb
to pool/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11-2_all.deb
mysql-dfsg-4.1_4.1.11-2.diff.gz
to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11-2.diff.gz
mysql-dfsg-4.1_4.1.11-2.dsc
to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11-2.dsc
mysql-server-4.1_4.1.11-2_i386.deb
to pool/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hammers <[EMAIL PROTECTED]> (supplier of updated mysql-dfsg-4.1
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 16 Apr 2005 15:55:00 +0200
Source: mysql-dfsg-4.1
Binary: libmysqlclient14-dev mysql-common-4.1 libmysqlclient14 mysql-server-4.1
mysql-client-4.1
Architecture: source i386 all
Version: 4.1.11-2
Distribution: unstable
Urgency: low
Maintainer: Christian Hammers <[EMAIL PROTECTED]>
Changed-By: Christian Hammers <[EMAIL PROTECTED]>
Description:
libmysqlclient14 - mysql database client library
libmysqlclient14-dev - mysql database development files
mysql-client-4.1 - mysql database client binaries
mysql-common-4.1 - mysql database common files (e.g. /etc/mysql/my.cnf)
mysql-server-4.1 - mysql database server binaries
Closes: 301741 304897
Changes:
mysql-dfsg-4.1 (4.1.11-2) unstable; urgency=low
.
* Sean Finney:
- don't freak out if we can't remove /etc/mysql during purge.
- debian/rules clean works again.
* Christian Hammers:
- Fixed typo in README.Debian (thanks to Joerg Rieger). Closes: #304897
- Completely removed the passwordless test user as it was not only
insecure but also lead to irritations as MySQL checks first the
permissions of this user and then those of a password having one.
See bug report from Hilko Bengen for details. Closes: #301741
Files:
be7a56a96e31893802038fc198eb49eb 1014 misc optional mysql-dfsg-4.1_4.1.11-2.dsc
b6d201254357db0f7956e48a0c65a0f8 159088 misc optional
mysql-dfsg-4.1_4.1.11-2.diff.gz
79bef1f028fd6459293068cbcf84a066 34452 misc optional
mysql-common-4.1_4.1.11-2_all.deb
e053264d3f37b642d10eca64a1cd0a5e 1415596 libs optional
libmysqlclient14_4.1.11-2_i386.deb
517f159743594e5aab85ff2940f16424 5640552 libdevel optional
libmysqlclient14-dev_4.1.11-2_i386.deb
f11948ea1d8bbddb89eefe2e4b56953a 828298 misc optional
mysql-client-4.1_4.1.11-2_i386.deb
aad81a658fb1af218a233762c94c5f2f 14552268 misc optional
mysql-server-4.1_4.1.11-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iEYEARECAAYFAkJqtPIACgkQkR9K5oahGObv1gCfbzseTNw2qvSLZizLZrpjCRhF
2h4AnikTilG3AU4Qz3hUX6RNDZjUxvPY
=XzSU
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
