Hi!
>>>>> "Brian" == Brian Hacking <brian@stripped> writes:
Brian> NT 4.0 - service pack 6
Brian> Pentium 400/128 megs of RAM
Brian> mySQL 3.22.34 for win95/98
Brian> typical installation
Brian> mysqld-nt -install
Brian> (restart computer)
Brian> mysql
Brian> delete from mysql.user where user='';
Brian> create database test;
Brian> create table db.table(name char(40));
Brian> grant usage on db.* to test;
Brian> grant insert on db.table to test;
Brian> select from mysql.user;
Brian> select from mysql.db;
Brian> select from mysql.tables_priv;
Brian> quit
Brian> mysql -u test
Brian> status
Brian> insert into db.table values('test');
Brian> select * from db.table;
Brian> delete from db.table where name='test';
Brian> select * from db.table;
Brian> quit
Brian> The first three selects look ok.
Brian> The status shows user test.
Brian> The next select shows the user (which I shouldn't have rights to see).
Brian> The delete returns one column changed (which I shouldn't have rights to do).
Brian> The last select shows an empty table;
Brian> I was having troubles with 3.22.33 not letting me insert a user given this
Brian> scenario. I moved to 3.22.34 and now have too many privileges and can
Brian> reproduce it from the command line sequence shown above. Some of the lines
Brian> are unnecessary but I wanted to verify what was happening along the way...
The problem is that on windows by default the anonymous user has full
access to all tables (As windows users are mostly single users
machines, this is ok by default). When you do:
delete from mysql.user where user='';
You are removing the anonymous user from the db table but not from the
cached privileges that is in memory. As you haven't told mysqld to
read the new privileges, all tests you run after this will still
use the cached privileges.
Fix:
After "delete from mysql.user where user='';" do 'flush privileges'
or do mysqadmin flush-privileges before running mysql as the test
user.
Regards,
Monty
PS: I tested the above in MySQL 3.23 and it worked nicely.
