| List: | General Discussion | « Previous MessageNext Message » | |
| From: | Michael Widenius | Date: | January 11 2000 4:52pm |
| Subject: | Re: Any user with 'grant' privilege can change root's password in 3.22.27? | ||
| View as plain text | |||
>>>>> "Van" == Van <vanboers@stripped> writes: Van> Michael Widenius wrote: >> Hi! >> >> A normal users should of course never be able to set the password for >> root; My last patch fixes this. >> >> Regards, >> Monty >> Van> Monty, Van> Sorry to have caught this thread so late in the day, but, for Van> clarification: which patches apply to this fix? 3.22.28 and 3.23.27? Van> or 3.22.29 and 3.23.28? The main reason I'm asking is I've got a couple Van> servers I'm keeping installed with the stable tree due to Van> perception-management issues and the rest have 3.23.27 from the alpha Van> tree. The patch should work on most recent MySQL 3.22 and 3.23 versions. If you can't apply it, just clear the grant_priv flag for everyone except root. Van> Due to the nature of the behavior described in this thread and the Van> implications on security, it would seem appropriate to ensure it is Van> clear to any dbadmins using either of the stable or alpha tree at which Van> point this behavior is "fixed." It will be fixed in 3.22.30 and 3.23.10; Both will be released this week. Van> While I don't allow grant option to any other users besides bona-fide Van> admins, I would certainly want to know specifically which version Van> implements this patch and document this well. Van> Hope that wasn't as unclear as it looks, but, it appears to be a very Van> important patch. Sorry, if I made more work for you. >:) Regards, Monty