Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Won't Fix
Description
Currently, mysql_install_db provides default access to the test database by inserting some rows into the mysql.db table for the ''@'%' user account, but it does not insert any rows into the mysql.user table for that user account. For example:
MariaDB [(none)]> SELECT * FROM mysql.user WHERE User='' AND Host='%'\G
|
Empty set (0.00 sec)
|
|
|
MariaDB [(none)]> SELECT * FROM mysql.db WHERE User='' AND Host='%'\G
|
*************************** 1. row ***************************
|
Host: %
|
Db: test
|
User:
|
Select_priv: Y
|
Insert_priv: Y
|
Update_priv: Y
|
Delete_priv: Y
|
Create_priv: Y
|
Drop_priv: Y
|
Grant_priv: N
|
References_priv: Y
|
Index_priv: Y
|
Alter_priv: Y
|
Create_tmp_table_priv: Y
|
Lock_tables_priv: Y
|
Create_view_priv: Y
|
Show_view_priv: Y
|
Create_routine_priv: Y
|
Alter_routine_priv: N
|
Execute_priv: N
|
Event_priv: Y
|
Trigger_priv: Y
|
*************************** 2. row ***************************
|
Host: %
|
Db: test\_%
|
User:
|
Select_priv: Y
|
Insert_priv: Y
|
Update_priv: Y
|
Delete_priv: Y
|
Create_priv: Y
|
Drop_priv: Y
|
Grant_priv: N
|
References_priv: Y
|
Index_priv: Y
|
Alter_priv: Y
|
Create_tmp_table_priv: Y
|
Lock_tables_priv: Y
|
Create_view_priv: Y
|
Show_view_priv: Y
|
Create_routine_priv: Y
|
Alter_routine_priv: N
|
Execute_priv: N
|
Event_priv: Y
|
Trigger_priv: Y
|
2 rows in set (0.00 sec)
|
These rows are currently inserted by the scripts/mysql_test_db.sql script:
https://github.com/MariaDB/server/blob/mariadb-10.4.8/scripts/mysql_test_db.sql#L18
This behavior is apparently an artifact of MySQL 3.22, which implemented privileges prior to the implementation of the GRANT statement.
The effect of this is that mysql_install_db creates privileges for the ''@'%' user account, but the user account doesn't really exist from the perspective of other DCL statements like GRANT, CREATE USER, ALTER USER, and DROP USER.
If someone tries to actually create a ''@'%' user account, then they will see errors that are difficult to interpret. For example:
MariaDB [(none)]> CREATE USER ''@'%';
|
ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%'
|
We should probably fix scripts/mysql_test_db.sql, so that it creates a row in the mysql.user table for the ''@'%' user account.
For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example:
DELETE FROM mysql.db WHERE User='' AND Host='%';
|
FLUSH PRIVILEGES;
|
And then the account can be created:
MariaDB [(none)]> CREATE USER ''@'%';
|
Query OK, 0 rows affected (0.01 sec)
|
This is documented here:
https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account
Attachments
Issue Links
- blocks
-
MDEV-20259 mysql_secure_installation should use DDL and DCL instead of DML
-
- Open
-
- relates to
-
-
- Closed
-
- links to
Activity
| Field | Original Value | New Value |
|---|---|---|
| Description |
It seems that MySQL and MariaDB reject some anonymous accounts that use wildcards in the host name portion of the account name, but this limitation does not seem to be documented on any of the following pages:
https://mariadb.com/kb/en/mariadb/create-user/#account-names https://mariadb.com/kb/en/mariadb/grant/ Example: MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' MariaDB [(none)]> CREATE USER ''@'192.168.1.%'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%.mysql.com'; Query OK, 0 rows affected (0.02 sec) If this is a feature, then we should probably document it. If it is a bug, then we should probably fix it. Relevant upstream bug: https://bugs.mysql.com/bug.php?id=87363 |
It seems that MySQL and MariaDB reject some anonymous accounts that use wildcards in the host name portion of the account name, but this limitation does not seem to be documented on any of the following pages:
https://mariadb.com/kb/en/mariadb/create-user/#account-names https://mariadb.com/kb/en/mariadb/grant/ Example: {noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' MariaDB [(none)]> CREATE USER ''@'192.168.1.%'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%.mysql.com'; Query OK, 0 rows affected (0.02 sec) {noformat} If this is a feature, then we should probably document it. If it is a bug, then we should probably fix it. Relevant upstream bug: https://bugs.mysql.com/bug.php?id=87363 |
| Labels | documentation privileges | privileges |
| Component/s | Documentation [ 10903 ] |
| Affects Version/s | 5.5 [ 15800 ] | |
| Affects Version/s | 10.0 [ 16000 ] | |
| Affects Version/s | 10.1 [ 16100 ] | |
| Affects Version/s | 10.2 [ 14601 ] | |
| Affects Version/s | 10.0.31 [ 22501 ] | |
| Affects Version/s | 10.1.25 [ 22542 ] | |
| Affects Version/s | 10.2.7 [ 22543 ] |
| Assignee | Ian Gilfillan [ greenman ] |
| Priority | Major [ 3 ] | Minor [ 4 ] |
| Fix Version/s | 10.2 [ 14601 ] |
| Status | Open [ 1 ] | Confirmed [ 10101 ] |
You cannot create a user if there are already some privileges granted to this user.
And in the default setup, ''@'%' has all privileges on test.*.
Oh, interesting. You're right, this works if I delete those privileges:
MariaDB [(none)]> CREATE USER ''@'%';
|
ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%'
|
MariaDB [(none)]> SELECT User, Host FROM mysql.db;
|
+------+------+
|
| User | Host |
|
+------+------+
|
| | % |
|
| | % |
|
+------+------+
|
2 rows in set (0.01 sec)
|
|
|
MariaDB [(none)]> DELETE FROM mysql.db WHERE User='' AND Host='%';
|
Query OK, 2 rows affected (0.00 sec)
|
|
|
MariaDB [(none)]> FLUSH PRIVILEGES;
|
Query OK, 0 rows affected (0.00 sec)
|
|
|
MariaDB [(none)]> CREATE USER ''@'%';
|
Query OK, 0 rows affected (0.01 sec)
|
Perhaps we should make it consistent and create a matching row in mysql.user too.
That sounds like a reasonable fix to me.
I have clarified the docs to explain this. I agree a matching row in mysql.user makes sense. This bug can either be renamed, or closed and a new task created.
| Summary | Document limitations regarding anonymous accounts that use wildcards | Make mysql_install_db create a real anonymous accounts for the test database |
| Description |
It seems that MySQL and MariaDB reject some anonymous accounts that use wildcards in the host name portion of the account name, but this limitation does not seem to be documented on any of the following pages:
https://mariadb.com/kb/en/mariadb/create-user/#account-names https://mariadb.com/kb/en/mariadb/grant/ Example: {noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' MariaDB [(none)]> CREATE USER ''@'192.168.1.%'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%.mysql.com'; Query OK, 0 rows affected (0.02 sec) {noformat} If this is a feature, then we should probably document it. If it is a bug, then we should probably fix it. Relevant upstream bug: https://bugs.mysql.com/bug.php?id=87363 |
mysql_install_db only partially creates a ''@'%' user when setting up the test database. This causes errors that are difficult to interpret when someone tries to actually create a ''@'%' user. For example:
{noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} The root cause of the problem is that scripts/mysql_test_db.sql inserts some rows into mysql.db for the ''@'%' user, but it does not also insert a row into mysql.user for the user: https://github.com/MariaDB/server/blob/4abb8216a054e14afbeb81e8529e02bab6fa14ac/scripts/mysql_test_db.sql We should probably fix scripts/mysql_test_db.sql, so that it creates a row in ''@'%' mysql.user for the user. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#anonymous-accounts Relevant upstream bug: https://bugs.mysql.com/bug.php?id=87363 |
| Summary | Make mysql_install_db create a real anonymous accounts for the test database | Make mysql_install_db create a real ''@'%' anonymous account for the test database |
| Affects Version/s | 10.3 [ 22126 ] | |
| Affects Version/s | 10.4 [ 22408 ] |
| Fix Version/s | 10.4 [ 22408 ] | |
| Fix Version/s | 10.2 [ 14601 ] |
| Assignee | Sergei Golubchik [ serg ] |
| Component/s | Scripts & Clients [ 11002 ] |
| Remote Link | This issue links to "MySQL bug #87363 - Document limitations regarding anonymous accounts that use wildcards (Web Link)" [ 28801 ] |
| Description |
mysql_install_db only partially creates a ''@'%' user when setting up the test database. This causes errors that are difficult to interpret when someone tries to actually create a ''@'%' user. For example:
{noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} The root cause of the problem is that scripts/mysql_test_db.sql inserts some rows into mysql.db for the ''@'%' user, but it does not also insert a row into mysql.user for the user: https://github.com/MariaDB/server/blob/4abb8216a054e14afbeb81e8529e02bab6fa14ac/scripts/mysql_test_db.sql We should probably fix scripts/mysql_test_db.sql, so that it creates a row in ''@'%' mysql.user for the user. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#anonymous-accounts Relevant upstream bug: https://bugs.mysql.com/bug.php?id=87363 |
mysql_install_db only partially creates a ''@'%' user when setting up the test database. This causes errors that are difficult to interpret when someone tries to actually create a ''@'%' user. For example:
{noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} The root cause of the problem is that scripts/mysql_test_db.sql inserts some rows into mysql.db for the ''@'%' user, but it does not also insert a row into mysql.user for the user: https://github.com/MariaDB/server/blob/4abb8216a054e14afbeb81e8529e02bab6fa14ac/scripts/mysql_test_db.sql We should probably fix scripts/mysql_test_db.sql, so that it creates a row in ''@'%' mysql.user for the user. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#anonymous-accounts |
| Description |
mysql_install_db only partially creates a ''@'%' user when setting up the test database. This causes errors that are difficult to interpret when someone tries to actually create a ''@'%' user. For example:
{noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} The root cause of the problem is that scripts/mysql_test_db.sql inserts some rows into mysql.db for the ''@'%' user, but it does not also insert a row into mysql.user for the user: https://github.com/MariaDB/server/blob/4abb8216a054e14afbeb81e8529e02bab6fa14ac/scripts/mysql_test_db.sql We should probably fix scripts/mysql_test_db.sql, so that it creates a row in ''@'%' mysql.user for the user. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#anonymous-accounts |
mysql_install_db only partially creates a ''@'%' user when setting up the test database. This causes errors that are difficult to interpret when someone tries to actually create a ''@'%' user. For example:
{noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} The root cause of the problem is that scripts/mysql_test_db.sql inserts some rows into mysql.db for the ''@'%' user, but it does not also insert a row into mysql.user for the user: https://github.com/MariaDB/server/blob/4abb8216a054e14afbeb81e8529e02bab6fa14ac/scripts/mysql_test_db.sql We should probably fix scripts/mysql_test_db.sql, so that it creates a row in ''@'%' mysql.user for the user. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account |
| Description |
mysql_install_db only partially creates a ''@'%' user when setting up the test database. This causes errors that are difficult to interpret when someone tries to actually create a ''@'%' user. For example:
{noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} The root cause of the problem is that scripts/mysql_test_db.sql inserts some rows into mysql.db for the ''@'%' user, but it does not also insert a row into mysql.user for the user: https://github.com/MariaDB/server/blob/4abb8216a054e14afbeb81e8529e02bab6fa14ac/scripts/mysql_test_db.sql We should probably fix scripts/mysql_test_db.sql, so that it creates a row in ''@'%' mysql.user for the user. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account |
mysql_install_db only partially creates a ''@'%' user when setting up the test database. This causes errors that are difficult to interpret when someone tries to actually create a ''@'%' user. For example:
{noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} The root cause of the problem is that scripts/mysql_test_db.sql inserts some rows into mysql.db for the ''@'%' user, but it does not also insert a row into mysql.user for the user: https://github.com/MariaDB/server/blob/4abb8216a054e14afbeb81e8529e02bab6fa14ac/scripts/mysql_test_db.sql We should probably fix scripts/mysql_test_db.sql, so that it creates a row in mysql.user for the ''@'%' user. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account |
Hmm. If mysql_install_db will create such a user, it'll have to create it locked, otherwise it'll allow anonymous passwordless remote connections to the server.
But even if locked, it'll be a catch-all account, so instead for an unexistent user name the error will be not "wrong password" anymore, but "account locked". I think that might be quite unexpected.
| Link | This issue relates to MDEV-20259 [ MDEV-20259 ] |
| Link | This issue blocks MDEV-20259 [ MDEV-20259 ] |
| Link | This issue relates to MDEV-20259 [ MDEV-20259 ] |
| Fix Version/s | 10.5 [ 23123 ] | |
| Fix Version/s | 10.4 [ 22408 ] |
Two other options:
- not to create test db with everybody's full access to it. This is what Debian is doing for many years already
- use
MDEV-5215(when it's implemented) instead of 3.22 pre-grant method for allowing everyone to access test db
| Description |
mysql_install_db only partially creates a ''@'%' user when setting up the test database. This causes errors that are difficult to interpret when someone tries to actually create a ''@'%' user. For example:
{noformat} MariaDB [(none)]> SELECT VERSION(); +-----------------+ | VERSION() | +-----------------+ | 10.1.25-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE User=''; Empty set (0.00 sec) MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} The root cause of the problem is that scripts/mysql_test_db.sql inserts some rows into mysql.db for the ''@'%' user, but it does not also insert a row into mysql.user for the user: https://github.com/MariaDB/server/blob/4abb8216a054e14afbeb81e8529e02bab6fa14ac/scripts/mysql_test_db.sql We should probably fix scripts/mysql_test_db.sql, so that it creates a row in mysql.user for the ''@'%' user. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account |
Currently, {{mysql_install_db}} inserts some rows into the {{mysql.db}} table for the {{''@'%'}} user account, but it does not insert any rows into the {{mysql.user}} table for that user account. For example:
{noformat} MariaDB [(none)]> SELECT * FROM mysql.user WHERE User='' AND Host='%'\G Empty set (0.00 sec) MariaDB [(none)]> SELECT * FROM mysql.db WHERE User='' AND Host='%'\G *************************** 1. row *************************** Host: % Db: test User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y *************************** 2. row *************************** Host: % Db: test\_% User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y 2 rows in set (0.00 sec) {noformat} These rows are currently inserted by the {{scripts/mysql_test_db.sql}} script: https://github.com/MariaDB/server/blob/mariadb-10.4.8/scripts/mysql_test_db.sql#L18 This behavior is apparently an artifact of MySQL 3.22, which implemented privileges prior to the implementation of the {{GRANT}} statement. The effect of this is that {{mysql_install_db}} creates privileges for the {{''@'%'}} user account, but the user account doesn't really exist from the perspective of other DCL statements like {{GRANT}}, {{CREATE USER}}, {{ALTER USER}}, and {{DROP USER}}. If someone tries to actually create a {{''@'%'}} user account, then they will see errors that are difficult to interpret. For example: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} We should probably fix {{scripts/mysql_test_db.sql}}, so that it creates a row in the {{mysql.user}} table for the {{''@'%'}} user account. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account |
| Description |
Currently, {{mysql_install_db}} inserts some rows into the {{mysql.db}} table for the {{''@'%'}} user account, but it does not insert any rows into the {{mysql.user}} table for that user account. For example:
{noformat} MariaDB [(none)]> SELECT * FROM mysql.user WHERE User='' AND Host='%'\G Empty set (0.00 sec) MariaDB [(none)]> SELECT * FROM mysql.db WHERE User='' AND Host='%'\G *************************** 1. row *************************** Host: % Db: test User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y *************************** 2. row *************************** Host: % Db: test\_% User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y 2 rows in set (0.00 sec) {noformat} These rows are currently inserted by the {{scripts/mysql_test_db.sql}} script: https://github.com/MariaDB/server/blob/mariadb-10.4.8/scripts/mysql_test_db.sql#L18 This behavior is apparently an artifact of MySQL 3.22, which implemented privileges prior to the implementation of the {{GRANT}} statement. The effect of this is that {{mysql_install_db}} creates privileges for the {{''@'%'}} user account, but the user account doesn't really exist from the perspective of other DCL statements like {{GRANT}}, {{CREATE USER}}, {{ALTER USER}}, and {{DROP USER}}. If someone tries to actually create a {{''@'%'}} user account, then they will see errors that are difficult to interpret. For example: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} We should probably fix {{scripts/mysql_test_db.sql}}, so that it creates a row in the {{mysql.user}} table for the {{''@'%'}} user account. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account |
Currently, {{mysql_install_db}} provides default access to the test database by inserting some rows into the {{mysql.db}} table for the {{''@'%'}} user account, but it does not insert any rows into the {{mysql.user}} table for that user account. For example:
{noformat} MariaDB [(none)]> SELECT * FROM mysql.user WHERE User='' AND Host='%'\G Empty set (0.00 sec) MariaDB [(none)]> SELECT * FROM mysql.db WHERE User='' AND Host='%'\G *************************** 1. row *************************** Host: % Db: test User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y *************************** 2. row *************************** Host: % Db: test\_% User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y 2 rows in set (0.00 sec) {noformat} These rows are currently inserted by the {{scripts/mysql_test_db.sql}} script: https://github.com/MariaDB/server/blob/mariadb-10.4.8/scripts/mysql_test_db.sql#L18 This behavior is apparently an artifact of MySQL 3.22, which implemented privileges prior to the implementation of the {{GRANT}} statement. The effect of this is that {{mysql_install_db}} creates privileges for the {{''@'%'}} user account, but the user account doesn't really exist from the perspective of other DCL statements like {{GRANT}}, {{CREATE USER}}, {{ALTER USER}}, and {{DROP USER}}. If someone tries to actually create a {{''@'%'}} user account, then they will see errors that are difficult to interpret. For example: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} We should probably fix {{scripts/mysql_test_db.sql}}, so that it creates a row in the {{mysql.user}} table for the {{''@'%'}} user account. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account |
| Description |
Currently, {{mysql_install_db}} provides default access to the test database by inserting some rows into the {{mysql.db}} table for the {{''@'%'}} user account, but it does not insert any rows into the {{mysql.user}} table for that user account. For example:
{noformat} MariaDB [(none)]> SELECT * FROM mysql.user WHERE User='' AND Host='%'\G Empty set (0.00 sec) MariaDB [(none)]> SELECT * FROM mysql.db WHERE User='' AND Host='%'\G *************************** 1. row *************************** Host: % Db: test User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y *************************** 2. row *************************** Host: % Db: test\_% User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y 2 rows in set (0.00 sec) {noformat} These rows are currently inserted by the {{scripts/mysql_test_db.sql}} script: https://github.com/MariaDB/server/blob/mariadb-10.4.8/scripts/mysql_test_db.sql#L18 This behavior is apparently an artifact of MySQL 3.22, which implemented privileges prior to the implementation of the {{GRANT}} statement. The effect of this is that {{mysql_install_db}} creates privileges for the {{''@'%'}} user account, but the user account doesn't really exist from the perspective of other DCL statements like {{GRANT}}, {{CREATE USER}}, {{ALTER USER}}, and {{DROP USER}}. If someone tries to actually create a {{''@'%'}} user account, then they will see errors that are difficult to interpret. For example: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} We should probably fix {{scripts/mysql_test_db.sql}}, so that it creates a row in the {{mysql.user}} table for the {{''@'%'}} user account. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account |
Currently, {{mysql_install_db}} provides default access to the {{test}} database by inserting some rows into the {{mysql.db}} table for the {{''@'%'}} user account, but it does not insert any rows into the {{mysql.user}} table for that user account. For example:
{noformat} MariaDB [(none)]> SELECT * FROM mysql.user WHERE User='' AND Host='%'\G Empty set (0.00 sec) MariaDB [(none)]> SELECT * FROM mysql.db WHERE User='' AND Host='%'\G *************************** 1. row *************************** Host: % Db: test User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y *************************** 2. row *************************** Host: % Db: test\_% User: Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Grant_priv: N References_priv: Y Index_priv: Y Alter_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: N Execute_priv: N Event_priv: Y Trigger_priv: Y 2 rows in set (0.00 sec) {noformat} These rows are currently inserted by the {{scripts/mysql_test_db.sql}} script: https://github.com/MariaDB/server/blob/mariadb-10.4.8/scripts/mysql_test_db.sql#L18 This behavior is apparently an artifact of MySQL 3.22, which implemented privileges prior to the implementation of the {{GRANT}} statement. The effect of this is that {{mysql_install_db}} creates privileges for the {{''@'%'}} user account, but the user account doesn't really exist from the perspective of other DCL statements like {{GRANT}}, {{CREATE USER}}, {{ALTER USER}}, and {{DROP USER}}. If someone tries to actually create a {{''@'%'}} user account, then they will see errors that are difficult to interpret. For example: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; ERROR 1396 (HY000): Operation CREATE USER failed for ''@'%' {noformat} We should probably fix {{scripts/mysql_test_db.sql}}, so that it creates a row in the {{mysql.user}} table for the {{''@'%'}} user account. For now, this can be worked around by deleting the row in the mysql.db table and then executing FLUSH PRIVILEGES. For example: {noformat} DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES; {noformat} And then the account can be created: {noformat} MariaDB [(none)]> CREATE USER ''@'%'; Query OK, 0 rows affected (0.01 sec) {noformat} This is documented here: https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account |
| Link |
This issue relates to |
use
MDEV-5215(when it's implemented) instead of 3.22 pre-grant method for allowing everyone to access test db
I created MDEV-20947 to track that idea.
| Link | This issue relates to MENT-506 [ MENT-506 ] |
| Affects Version/s | 10.2 [ 14601 ] | |
| Affects Version/s | 5.5 [ 15800 ] | |
| Affects Version/s | 10.0 [ 16000 ] | |
| Affects Version/s | 10.1 [ 16100 ] | |
| Affects Version/s | 10.3 [ 22126 ] | |
| Affects Version/s | 10.4 [ 22408 ] | |
| Issue Type | Bug [ 1 ] | Task [ 3 ] |
| Fix Version/s | 10.5 [ 23123 ] |
While waiting for MDEV-5215 and MDEV-20947 how about giving access to the test databases to anonymous users only? 10.6?
diff --git a/scripts/mysql_test_db.sql b/scripts/mysql_test_db.sql
|
index 9f8a0cf604c..edf1242c6c5 100644
|
--- a/scripts/mysql_test_db.sql
|
+++ b/scripts/mysql_test_db.sql
|
@@ -15,17 +15,12 @@
|
|
CREATE DATABASE IF NOT EXISTS test CHARACTER SET latin1 COLLATE latin1_swedish_ci;
|
|
--- Fill "db" table with default grants for anyone to
|
--- access database 'test' and 'test_%' if "db" table didn't exist
|
-CREATE TEMPORARY TABLE tmp_db LIKE db;
|
-INSERT INTO tmp_db VALUES ('%','test','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y','Y');
|
-INSERT INTO tmp_db VALUES ('%','test\_%','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y','Y');
|
-INSERT INTO db SELECT * FROM tmp_db WHERE @had_db_table=0;
|
-DROP TABLE tmp_db;
|
-
|
-- Anonymous user with no privileges.
|
CREATE TEMPORARY TABLE tmp_user_anonymous LIKE global_priv;
|
INSERT INTO tmp_user_anonymous (host,user) VALUES ('localhost','');
|
INSERT INTO tmp_user_anonymous (host,user) SELECT @current_hostname,'' FROM dual WHERE @current_hostname != 'localhost';
|
INSERT INTO global_priv SELECT * FROM tmp_user_anonymous WHERE @had_user_table=0;
|
+-- access database 'test' and 'test_%' for anonymous users if "db" table exists
|
+INSERT INTO db SELECT host,'test',user,'Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y','Y' FROM tmp_user_anonymous WHERE @had_db_table=0 AND @had_db_table=0;
|
+INSERT INTO db SELECT host,'test\_%',user,'Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y','Y' FROM tmp_user_anonymous WHERE @had_db_table=0 AND @had_db_table=0;
|
DROP TABLE tmp_user_anonymous;
|
+ mysql_secure_installation changes to cope with old and new versions.
| Workflow | MariaDB v3 [ 81979 ] | MariaDB v4 [ 131796 ] |
| Priority | Minor [ 4 ] | Major [ 3 ] |
| Fix Version/s | N/A [ 14700 ] | |
| Resolution | Won't Fix [ 2 ] | |
| Status | Confirmed [ 10101 ] | Closed [ 6 ] |
This is neither.
You cannot create a user if there are already some privileges granted to this user.
And in the default setup, ''@'%' has all privileges on test.*.
This is how it always was, even in 3.22, before GRANT statement was implemented. So it's something that is not fully compatible with GRANT and cannot be created with GRANT — there is no row for ''@'%' in mysql.user table, but there is such a row in mysql.db table.
Perhaps we should make it consistent and create a matching row in mysql.user too.