Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
-- Abstract: if there's ''@'localhost' user, can login with any username without password,
-- and any users @'%' will be ignored on login.
-------[Root connection]-------
-- All mysql installations I've seen so far have ''@'localhost' user record.
mysql> select host, user from mysql.user;
+-----------+--------+
| host | user |
+-----------+--------+
| 127.0.0.1 | root |
| ::1 | root |
| localhost | |
| localhost | root |
+-----------+--------+
4 rows in set (0.00 sec)
-------[Another connection]-------
-- This allows login with ANY username without password from localhost!
$ mysql -u myuser -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11222
Server version: 5.6.16 MySQL Community Server (GPL)
mysql> quit
Bye
-- Or even without username at all
$ mysql -u '' -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11223
Server version: 5.6.16 MySQL Community Server (GPL)
mysql> quit
Bye
-------[Root connection]-------
-- Let's create a user @'%'
mysql> grant all on mydb.* to 'myuser'@'%' identified by '123123';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
-------[Another connection]-------
-- This user is ignored
$ mysql -u myuser -p
Enter password: 123123
ERROR 1045 (28000): Access denied for user 'myuser'@'localhost' (using password: YES)
-------[Root connection]-------
-- Let's remove the empty user record
mysql> drop user ''@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
-- And make sure that we're ok
mysql> select Host, User from mysql.user;
+-----------+------+
| Host | User |
+-----------+------+
| 127.0.0.1 | root |
| ::1 | root |
| localhost | root |
+-----------+------+
3 rows in set (0.00 sec)
-------[Another connection]-------
-- Able to login with the correct user!
$ mysql -u myuser -p
Enter password: 123123
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11228
Server version: 5.6.16 MySQL Community Server (GPL)
-- And check the permissions
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mydb |
| test |
+--------------------+
3 rows in set (0.00 sec)
mysql> quit
Bye
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.