Re: MySQL vs user www-data

To: Christian Hammers <ch@westend.com>, debian-user@lists.debian.org
Subject: Re: MySQL vs user www-data
From: w trillich <will@pinncomp.net>
Date: Tue, 09 May 2000 01:52:31 -0500
Message-id: <[🔎] 3917B5A9.3056CBCF@pinncomp.net>
Reply-to: will@pinncomp.net
References: <[🔎] 390F7B0E.5ADFF232@pinncomp.net> <20000504190136.A771@lathspell> <[🔎] 39162ADB.FEA1DB21@pinncomp.net> <20000508143722.A26083@westend.com> <3916E89D.46CE5E77@pinncomp.net> <20000508182122.A5765@westend.com> <[🔎] 3917152E.6F202EAD@pinncomp.net> <20000508171837.A2073@lathspell>

hey, thanks for your replies and patience. i appreciate your help!

Christian Hammers wrote:
> > select * from [mysql.]user ; shows that www-data does
> > have select/insert/update/delete permissions; besides 'user'
> > only the 'db' table contains records (for the test set, i see).
> ...
> > i output debug stuff to a log file:
> >       [Mon May  8 13:54:22 2000] null: DBI->connect failed:
> >       Access denied for user: '@localhost' to database 'will'
> >       at /usr/local/lib/site_perl/Stonehenge/DBILog.pm line 87
> >       DSN=dbi:mysql:will; DB_AUTH=www-data
> It seems that you're taking the wrong approach to access control.
> I always would probably have the following style:
> mysql.user:
>  localhost | www-data | mypassword | N N N N N N N N N N
> mysql.db:
>  localhost | www-data | Y Y Y Y N N N N
> 
> i.e. in user I define the user,password and the host from which user is
> allowed to come. all perms to N.
> in db I defined the permissions for a specific db.
> You can set host to localhost or % if you don't take network security
> very high.

how does that work with the 'grant' syntax? i presume we're leaning
towards using the grant syntax and away from tweaking the privs directly?
	> grant insert,select,delete,update on db.* to user ;
looks right to me...?

i thought that mentioning a DB in the DB table would restrict access,
not provide it... meaning, if a database is NOT mentioned, then all
access is allowed, and mentioning a database restricts such access;
as opposed to, if a database is NOT mentioned, then all access is
forbidden, until specific permissions are added by specific mention.
no?


> > note that "user: '@localhost'" doesn't have a username?
> Maybe it means that  *everybody* at localhost is denied?

it only does that with user 'www-data'. as 'will' i get 
'will@localhost' but 'www-data' gets '@localhost'. odd.


> >       Database changed
> >       mysql> select * from user where user='www-data';
> ...
> > how do i find the catch? what permission is missing?
> what does "select * from db" say?

only the 'test' and 'test\_%' records were in there (all perms
YES except for grant; host='%' and user=''). and 'test' is the
only DB that mysql would let me connect to, as www-data...

then, for fun, i tried
	> grant all privileges on *.* to 'www-data' ;
	>	-- doesn't affect 'db', just 'user'... so,
	> grant all privileges on will.* to 'www-data' ;
	>	-- now i also opened up 'db' wide, for 'www-data', right?
but i still couldn't connect to anything but database 'test',
as user 'www-data'.

user=
('%','www-data','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','N','Y','Y','Y');
db=
('%','will','www-data','Y','Y','Y','Y','Y','Y','N','Y','Y','Y');

c'mon, now, there must be something that's keeping 'www-data' out,
but letting 'will' in. aaugh!

Reply to:

References:
- MySQL *.deb's dependencies ignored? maybe?
  - From: w trillich <will@pinncomp.net>
- Re: MySQL *.deb's dependencies ignored? maybe?
  - From: w trillich <will@pinncomp.net>
- Re: MySQL vs user www-data
  - From: w trillich <will@pinncomp.net>

Prev by Date: Re: how to talk to MySQL using PERL
Next by Date: dselect
Previous by thread: Re: MySQL vs user www-data
Next by thread: Re: MySQL vs user www-data -- AHA!
Index(es):
- Date
- Thread