Your message dated Sat, 23 Apr 2005 17:02:14 -0400 with message-id <[EMAIL PROTECTED]> and subject line Bug#301741: fixed in mysql-dfsg-4.1 4.1.11-2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 28 Mar 2005 01:30:22 +0000 >From [EMAIL PROTECTED] Sun Mar 27 17:30:22 2005 Return-path: <[EMAIL PROTECTED]> Received: from mail.kamp-dsl.de (dsl-mail.kamp.net) [195.62.99.42] by spohr.debian.org with smtp (Exim 3.35 1 (Debian)) id 1DFj5C-0006Za-00; Sun, 27 Mar 2005 17:30:22 -0800 Received: (qmail 12275 invoked by uid 513); 28 Mar 2005 01:30:20 -0000 Received: from 213.146.117.234 by dsl-mail (envelope-from <[EMAIL PROTECTED]>, uid 89) with qmail-scanner-1.24 (clamdscan: 0.80/609. spamassassin: 2.60. Clear:RC:1(213.146.117.234):SA:0(-1.6/5.0):. Processed in 2.036781 secs); 28 Mar 2005 01:30:20 -0000 Received: from hilluzination.de (HELO paranoia) ([EMAIL PROTECTED]) by dsl-mail.kamp.net with SMTP; 28 Mar 2005 01:30:18 -0000 Received: from [192.168.1.254] (helo=localhost.localdomain) by paranoia with esmtp (Exim 4.34) id 1DFj55-0000Bq-Sa for [EMAIL PROTECTED]; Mon, 28 Mar 2005 03:30:16 +0200 Received: from bengen by localhost.localdomain with local (Exim 4.50) id 1DFj5L-0004aj-5N for [EMAIL PROTECTED]; Mon, 28 Mar 2005 03:30:31 +0200 From: Hilko Bengen <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: mysql-server: Wildcard accounts lead to unnecessary confusion X-Debbugs-CC: Hilko Bengen <[EMAIL PROTECTED]> Date: Mon, 28 Mar 2005 03:30:29 +0200 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: mysql-server Version: 4.0.24-3 Severity: important This is the state the MySQL user database is in after a fresh install. mysql> select Host, User, Password from user; +-----------+------------------+------------------+ | Host | User | Password | +-----------+------------------+------------------+ | localhost | root | | | ataraxia | root | | | localhost | | | | ataraxia | | | | localhost | debian-sys-maint | 574952o84q75o3r8 | +-----------+------------------+------------------+ 6 rows in set (0.00 sec) I then used phpMyAdmin to create a database and a user which I granted access to the database. As can be seen below, a password has been set for the user. mysql> select Host, User, Password from user where User='bengen'; +------+--------+------------------+ | Host | User | Password | +------+--------+------------------+ | % | bengen | 4655p05o05s11sno | +------+--------+------------------+ 1 row in set (0.00 sec) However, trying to access the database by specifying this user and entering the password, this gives me the following error: [EMAIL PROTECTED]: $ mysql -u bengen bengen -p Enter password: ERROR 1045: Access denied for user: '[EMAIL PROTECTED]' (Using password: YES) I then changed the Host field of my newly created user and tried again: mysql> update user set Host='localhost' where User='bengen'; Query OK, 1 row affected (0.00 sec) Voila! After reloading the privileges, I was granted access to my database. It appears to me as if a host entry with wildcard user was checked before a user entry with a wildcard host. This might make perfect sense, but I fail to see the reason why the two wildcard users are there in the first place. They might not be a security risk, as they don't have any privileges associated with them. But they will surely lead to confusion in cases where the DBA wants to set up username/password pairs as the only means of access control. Please consider removing the two wildcard accounts from the default installation. Thanks, -Hilko -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages mysql-server depends on: ii adduser 3.63 Add and remove users and groups ii debconf 1.4.46 Debian configuration management sy ii gawk 1:3.1.4-2 GNU awk, a pattern scanning and pr ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libdbi-perl 1.46-6 Perl5 database interface by Tim Bu ii libmysqlclient12 4.0.24-3 mysql database client library ii libstdc++5 1:3.3.5-12 The GNU Standard C++ Library v3 ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii mailx 1:8.1.2-0.20040524cvs-4 A simple mail user agent ii mysql-client 4.0.24-3 mysql database client binaries ii mysql-common 4.0.24-3 mysql database common files (e.g. ii passwd 1:4.0.3-31sarge1 change and administer password and ii perl 5.8.4-8 Larry Wall's Practical Extraction ii psmisc 21.6-1 Utilities that use the proc filesy ii zlib1g 1:1.2.2-4 compression library - runtime -- debconf information: mysql-server/really_downgrade_from_41: false mysql-server/start_on_boot: true mysql-server/postrm_remove_databases: false * mysql-server/mysql_install_db_notes: mysql-server/nis_warning: mysql-server/mysql_update_hints1: --------------------------------------- Received: (at 301741-close) by bugs.debian.org; 23 Apr 2005 21:16:03 +0000 >From [EMAIL PROTECTED] Sat Apr 23 14:16:03 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DPRyt-0007hm-00; Sat, 23 Apr 2005 14:16:03 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1DPRlW-0001j4-00; Sat, 23 Apr 2005 17:02:14 -0400 From: Christian Hammers <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#301741: fixed in mysql-dfsg-4.1 4.1.11-2 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Sat, 23 Apr 2005 17:02:14 -0400 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: mysql-dfsg-4.1 Source-Version: 4.1.11-2 We believe that the bug you reported is fixed in the latest version of mysql-dfsg-4.1, which is due to be installed in the Debian FTP archive: libmysqlclient14-dev_4.1.11-2_i386.deb to pool/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11-2_i386.deb libmysqlclient14_4.1.11-2_i386.deb to pool/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11-2_i386.deb mysql-client-4.1_4.1.11-2_i386.deb to pool/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11-2_i386.deb mysql-common-4.1_4.1.11-2_all.deb to pool/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11-2_all.deb mysql-dfsg-4.1_4.1.11-2.diff.gz to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11-2.diff.gz mysql-dfsg-4.1_4.1.11-2.dsc to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11-2.dsc mysql-server-4.1_4.1.11-2_i386.deb to pool/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11-2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Hammers <[EMAIL PROTECTED]> (supplier of updated mysql-dfsg-4.1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 16 Apr 2005 15:55:00 +0200 Source: mysql-dfsg-4.1 Binary: libmysqlclient14-dev mysql-common-4.1 libmysqlclient14 mysql-server-4.1 mysql-client-4.1 Architecture: source i386 all Version: 4.1.11-2 Distribution: unstable Urgency: low Maintainer: Christian Hammers <[EMAIL PROTECTED]> Changed-By: Christian Hammers <[EMAIL PROTECTED]> Description: libmysqlclient14 - mysql database client library libmysqlclient14-dev - mysql database development files mysql-client-4.1 - mysql database client binaries mysql-common-4.1 - mysql database common files (e.g. /etc/mysql/my.cnf) mysql-server-4.1 - mysql database server binaries Closes: 301741 304897 Changes: mysql-dfsg-4.1 (4.1.11-2) unstable; urgency=low . * Sean Finney: - don't freak out if we can't remove /etc/mysql during purge. - debian/rules clean works again. * Christian Hammers: - Fixed typo in README.Debian (thanks to Joerg Rieger). Closes: #304897 - Completely removed the passwordless test user as it was not only insecure but also lead to irritations as MySQL checks first the permissions of this user and then those of a password having one. See bug report from Hilko Bengen for details. Closes: #301741 Files: be7a56a96e31893802038fc198eb49eb 1014 misc optional mysql-dfsg-4.1_4.1.11-2.dsc b6d201254357db0f7956e48a0c65a0f8 159088 misc optional mysql-dfsg-4.1_4.1.11-2.diff.gz 79bef1f028fd6459293068cbcf84a066 34452 misc optional mysql-common-4.1_4.1.11-2_all.deb e053264d3f37b642d10eca64a1cd0a5e 1415596 libs optional libmysqlclient14_4.1.11-2_i386.deb 517f159743594e5aab85ff2940f16424 5640552 libdevel optional libmysqlclient14-dev_4.1.11-2_i386.deb f11948ea1d8bbddb89eefe2e4b56953a 828298 misc optional mysql-client-4.1_4.1.11-2_i386.deb aad81a658fb1af218a233762c94c5f2f 14552268 misc optional mysql-server-4.1_4.1.11-2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iEYEARECAAYFAkJqtPIACgkQkR9K5oahGObv1gCfbzseTNw2qvSLZizLZrpjCRhF 2h4AnikTilG3AU4Qz3hUX6RNDZjUxvPY =XzSU -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]