At 7:54 PM -0400 2000-04-03, Thimble Smith wrote:
>On Mon, Apr 03, 2000 at 07:02:42PM -0400, David R. Saunders wrote:
>>NOTE: any user you give FILE privilege to will be
>>able to read your databases directly, as well
>>as a password in ~/.my.cnf file you create, regardless
>>of what user you run as.
>If I understand what you're writing here, it's not correct. How
>does this sound?
It's correct for for the mysql user that David was asking about
originally. (Where ~/.my.cnf = ~mysql/.my.cnf) It's not true
for other users -- or at least it *shouldn't* be; those users
should have their file set to mode 400 or 600.
> NOTE: any MySQL user with FILE privileges will be able to read
> and write to the same files as this user. This includes all of
> the actual database files. Please see the `Privileges Provided'
> section of the manual for more information on the FILE privilege.
You can only read those files. You can't overwrite existing files,
even with the FILE privilege.
>Notice that users with FILE privs can NOT read .my.cnf files. Those
>are read by the *client*, which does not run as the mysqld user. The
>mysqld server can not read .my.cnf files, so neither can anyone with
>>Near the details describing ~/.my.cnf syntax,
>>NOTE: any mysql user account with FILE privilege
>>will be able to read the contents of this file,
>>if it is owned by the mysql daemon's UID.
>Yes, but why would you ever make the .my.cnf file owned by the
>mysqld daemon's user? That's not at all necessary. It's not
So that you can log in as that user and run client programs without
having to type in the password all the time.
Paul DuBois, paul@stripped