PengXiaoxun wrote:
I create a new account via the following statement:
CREATE USER 'monty'@'%' IDENTIFIED BY '123456';
Without any privileges granted, the user 'monty' can access the database 
information_schema via a remote host.
Why?
How can I create a new user without any privileges actually?


You need to complete your installation by removing the anonymous user accounts. This is described here in the Installation portion of our manual:
http://dev.mysql.com/doc/refman/5.1/en/default-privileges.html

Then issue the command
 SHOW GRANTS FOR 'monty'@'%';
http://dev.mysql.com/doc/refman/5.1/en/show-grants.html

If the only privilege this user has is 'USAGE' then the only privilege they have is the ability to authenticate with the MySQL instance. This is a 'no-privileges' account.
http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#priv_usage

Additional explanation of how MySQL security works is located in the following sections of Chapter 5 of the manual:
http://dev.mysql.com/doc/refman/5.1/en/security.html
http://dev.mysql.com/doc/refman/5.1/en/privilege-system.html
http://dev.mysql.com/doc/refman/5.1/en/user-account-management.html

--
Shawn Green
MySQL Principle Technical Support Engineer
Oracle USA, Inc.
Office: Blountville, TN

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/mysql?unsub=arch...@jab.org

Reply via email to