Last update on .

It's weird how sometimes you can be taken by surprise when not delving deep enough when administering some software package. This can be particularly nasty when it's related to the security of the system.

Some days ago I was rather surprised when one of the developers at the work reported that permission grants he was assigning to a database are being ignored. To be more precise, users without specified privileges were able to actually work on a MySQL database without being prior permission.

Of course, I was very sceptical about the report, so I tried creating a new database on the machine, and tried to access it as a user which wasn't granted any permissions. And, as I expected, it didn't work. The user's access to database was declined. I went back to work thinking the colleague had made a type or something.

In five minutes he called again, and it turned out to be a database called 'test'. Once again I tried the whole procedure, this time using that database, and what do you know - he was right.

To cut the thing short, I've found out in the end that the <strong>problem</strong> was that for some sick reason, by default, the MySQL creates the 'test' database, and grants everyone the right to do whatever they can with it. After some research I've found a nice article at <a href="http://www.securityfocus.com/infocus/1726">SecurityFocus</a> which helped me solve the issue at hand. What I was most baffled about is that I really haven't ever ran into articles describing this kind of behaviour (maybe I was just too lazy to read stuff in details?).

In the end, the good thing is that now I know what to look out for in the future.

Pingbacks

Pingbacks are closed.

Comments

Comments are closed.