• Developer Zone
• Lists Home
• FAQ

Hi Michael,

I wrote:
>>>  > I'm trying to upgrade DBD::mysql and having trouble with the 
>>> anonymous
>>>  > user for the test database. When I run the install the tests fail 

Michael Stassen wrote a very helpful explanation (snipped), which helped 
me to pinpoint the concept I'd misunderstood (I wrongly thought that a 
client can specifically ask for access as an anonymous user).

Michael, thanks very much for taking the time and trouble to provide me 
with this explanation.

> The anonymous user is described in several places in the manual.  I'd 
> start with <http://dev.mysql.com/doc/mysql/en/default-privileges.html>.  
> Note that page recommends "If you want to prevent clients from 
> connecting as anonymous users  without a password, you should either 
> assign passwords to the anonymous accounts or else remove them."  You 
> can search the manual on 'anonymous' to see all the references.

Yes, there is information scattered throughout the manual :)  Now I 
already understand how it works, I can interpret that information! 
Another key sentence for me that I now see clearly after your 
explanation is this from the C API docs:

"The user parameter contains the user's MySQL login ID. If user is NULL 
or the empty string "", the current user is assumed. Under Unix, this is 
the current login name. Under Windows ODBC, the current username must be 
specified explicitly."

I guess this also applies to the Perl interface.

It would be nice if there was a single place that collected all the 
scraps of information together.

> The tests must be able to write to the test db.  A relatively trivial 
> denial of service attack would be to connect to your mysql server as the 
> default test user and write to the test db till your disk was full.  
> Having a standardized test user and password known to all, with the 
> assumption that it would remain in place for testing, would be a big 
> security problem.  What we really need is a simpler way to specify the 
> test user and password to use for testing, one that works in CPAN as 
> well.  Perhaps a prompt...

OK, I don't know enough to have a view. Perhaps naively, I've been 
taking the view that since these accounts are only accessible from the 
local host, I don't much care. If they've got through our firewalls and 
managed to get a login account on my server, I'd be worried about lots 
of other things as well as mysql data. And it's not terribly interesting 
or valuable data except perhaps to a few biologists.

Thanks again,
Dave