hey, thanks for your replies and patience. i appreciate your help! Christian Hammers wrote: > > select * from [mysql.]user ; shows that www-data does > > have select/insert/update/delete permissions; besides 'user' > > only the 'db' table contains records (for the test set, i see). > ... > > i output debug stuff to a log file: > > [Mon May 8 13:54:22 2000] null: DBI->connect failed: > > Access denied for user: '@localhost' to database 'will' > > at /usr/local/lib/site_perl/Stonehenge/DBILog.pm line 87 > > DSN=dbi:mysql:will; DB_AUTH=www-data > It seems that you're taking the wrong approach to access control. > I always would probably have the following style: > mysql.user: > localhost | www-data | mypassword | N N N N N N N N N N > mysql.db: > localhost | www-data | Y Y Y Y N N N N > > i.e. in user I define the user,password and the host from which user is > allowed to come. all perms to N. > in db I defined the permissions for a specific db. > You can set host to localhost or % if you don't take network security > very high.
how does that work with the 'grant' syntax? i presume we're leaning towards using the grant syntax and away from tweaking the privs directly? > grant insert,select,delete,update on db.* to user ; looks right to me...? i thought that mentioning a DB in the DB table would restrict access, not provide it... meaning, if a database is NOT mentioned, then all access is allowed, and mentioning a database restricts such access; as opposed to, if a database is NOT mentioned, then all access is forbidden, until specific permissions are added by specific mention. no? > > note that "user: '@localhost'" doesn't have a username? > Maybe it means that *everybody* at localhost is denied? it only does that with user 'www-data'. as 'will' i get '[EMAIL PROTECTED]' but 'www-data' gets '@localhost'. odd. > > Database changed > > mysql> select * from user where user='www-data'; > ... > > how do i find the catch? what permission is missing? > what does "select * from db" say? only the 'test' and 'test\_%' records were in there (all perms YES except for grant; host='%' and user=''). and 'test' is the only DB that mysql would let me connect to, as www-data... then, for fun, i tried > grant all privileges on *.* to 'www-data' ; > -- doesn't affect 'db', just 'user'... so, > grant all privileges on will.* to 'www-data' ; > -- now i also opened up 'db' wide, for 'www-data', right? but i still couldn't connect to anything but database 'test', as user 'www-data'. user= ('%','www-data','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','N','Y','Y','Y'); db= ('%','will','www-data','Y','Y','Y','Y','Y','Y','N','Y','Y','Y'); c'mon, now, there must be something that's keeping 'www-data' out, but letting 'will' in. aaugh!