List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:December 31 1999 5:03pm
Subject:Re: questions about privileges
View as plain text  
At 5:48 AM +0000 1999-12-31, hypnos wrote:
>i run mysql on a lan which isn't accessible to the
>outside world, so i wasn't too worried about the
>security of the mysql server, but i figured i better
>learn, so i have a few questions.
>first, in mysql.user table, i have a user (besides
>root) which has all privileges set to 'Y'.  i also
>have a database i just created which only one mysql
>user should have any access to, so in mysql.db i
>added an entry such as Host = 'localhost', Db = the
>database name, and User = the user mentioned above
>(with all privileges set to 'Y'), and the db entry
>has all fields set to 'N', which i thought would
>override the above settings and not allow the user
>to access the database.

That is incorrect.  Privileges specified in the user
table are global (see the manual) and apply to all
databases.  In other words, user table privileges
are superuser privileges.  Normally you don't turn on
any privileges in the user table except for superusers
like root.  For normal users, leave user table privileges
turned off and grant database-specific privileges in the
db table.

>i started the mysql client, logging in as the user
>which should not have access to the database. i was
>able to switch to the database and create a table,
>which should not be allowed.
>so first question is, is it not possible to override
>the global settings on an individual database basis?

No.  That's why global privileges are called global.

>second question is, would a better way to do it be
>to set all global privileges to 'N' and then add
>entries in mysql.db to allow access to the databases
>that i want that user to have access to?

See above.  Also read chapter 6 in the MySQL Reference

Paul DuBois, paul@stripped
questions about privilegeshypnos31 Dec
  • Re: questions about privilegessinisa31 Dec
  • Re: questions about privilegesPaul DuBois31 Dec