Results 1 to 5 of 5
  1. #1

    MySQL security question

    I have just purchased some webspace on a host which uses a RAQ4. I have never used space on a RAQ4 before and so am unsure how things should appear. I requested MySQL to be set up, and have been provided with a username and password to access MySQL.

    My preferred way of administering MySQL is PhpMyAdmin and so I have loaded that into my own webspace and configured it to access MYSQL on localhost using the password and username I was given.

    As expected I can access a database I set up via telnet. However I also find I can access the databse "mysql" and can view the table "user". In this I find that there are two users set up which have all privilidges set to "y". one user is shown as on loaclhost with the username I was given to use and an encypted password.

    The other user is shown with a hostname close to that of the company I get the webspace from, with a user name of root and no encrypted string for a password.

    I am unsure if I what I am seeing relates only to my domain, or whether it relates to the whole server (as I say I am new to RAQ's).

    Also I am unclear if there is a security vulnerability here, hopefully I am worrying unecessarily.

  2. #2
    Join Date
    Feb 2002
    There may be a security hole
    This forum officially ****ing sucks

  3. #3
    Roly, what is the nature of the hole.

    I should have said in the first post that the MySQL databse would be accessed over the web via PHP.

    I would have thought that the user that is used in my php scripts should not have reload,shutdown, process, file or grant prividges. This I understand and is not particularly a RAQ4 issue.

    What I dont understand is if I get a in effect a "virtual MySQL" server on a RAQ4, so that I can only see databases and passowrds created in my space. My databases are the first ones this host has set up and so the fact that I can see no others at present may be due to good security, or down to the fact that there are no others to see. I hope this makes some sort of sense.

    To reiterate what I am unsure about is whether a virtual host on a RAQ4 gets a completely separate instance of MySQL.

  4. #4
    Join Date
    Jul 2000
    Costa Mesa, California
    That sounds normal, everybody should be able to access the user table inside the mysql db. If you were not able to read that table the mysql server would not know to give you access to your db.

    Someone well versed in mysql will be able to better answer questions. :-)


  5. #5
    It was my understanding that in the user table it would be best if the privilidges were all set to "N", and in the db table privilidges for select, insert, update and delete were set for the specific db I am using.

    Once agian I reiterate that the point is not so much about MySQL privilidges (I would have posted that query in a different forum anyway), but specifically about the RAQ4 set up with virtual hosts, and whether what I am seeing in the Mysql user table relates to just my virtual host or to all databases on the RAQ!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts