|
Home > Archive > MySQL Server Forum > June 2005 > problem understanding user priv system
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
problem understanding user priv system
|
|
| siliconmike 2005-06-30, 3:23 am |
| On my FreeBSD system, apache would run under user: www
Apache would run php script which would accesses mysql as user: xyz,
passwd: pqr
Mysql server would itself run with --user=mysql command line variable..
So, what user would need to be setup in the privilege table ? xyz or
mysql ?
Or is mysql user removable in my case ? (it was defaultly installed)
I'm new to unix. Can someone please clarify whats going on here... what
user mysql can do and what xyz can do..
Mike
| |
| jerry gitomer 2005-06-30, 3:23 am |
| siliconmike wrote:
> On my FreeBSD system, apache would run under user: www
> apache would run php script which would accesses mysql as user: xyz,
> passwd: pqr
> Mysql server would itself run with --user=mysql command line variable..
>
> So, what user would need to be setup in the privilege table ? xyz or
> mysql ?
>
> Or is mysql user removable in my case ? (it was defaultly installed)
>
> I'm new to unix. Can someone please clarify whats going on here... what
> user mysql can do and what xyz can do..
>
> Mike
>
Mike,
I suspect what is confusing you is that Unix and MySQL have
independent users and permissions. I can be user abc as far as
Unix is concerned and have multiple MySQL logins -- none of
which are abc. In fact another user, let's say Unix user id efg
could have the MySQL user id of abc. There is no conflict
because the two login/password schemes are independent of each
other.
HTH
Jerry
| |
| siliconmike 2005-06-30, 3:23 am |
| Oh I get it now.. The mysql daemon runs as a "mysql" system user.. The
logins are independent.
Then the data directories should have r and w privileges for the unix
user "mysql", right ?
Mike
| |
| Gordon Burditt 2005-06-30, 9:23 am |
| >On my FreeBSD system, apache would run under user: www
>Apache would run php script which would accesses mysql as user: xyz,
>passwd: pqr
>Mysql server would itself run with --user=mysql command line variable..
>
>So, what user would need to be setup in the privilege table ? xyz or
>mysql ?
Any one you want, including 'boastmaster'.
>Or is mysql user removable in my case ? (it was defaultly installed)
The UNIX user 'mysql' is for the MySQL daemon to run as, and as an
owner of the database files. I suggest you keep it around unless
you've got a good reason to change it. DON'T run mysqld as root.
The MySQL daemon needs read/write privileges on its databases.
Anyone else (UNIX user) able to write the databases can bypass MySQL
privilege rules by adding entries to the privilege tables manually,
so this list should be short.
>I'm new to unix. Can someone please clarify whats going on here... what
>user mysql can do and what xyz can do..
MySQL users and UNIX users have no necessary relationship to each
other. The MySQL daemon cannot determine what UNIX user a client
is running as, and it doesn't care. That means that if you have
the MySQL user 'root' left with no password, *ANY* UNIX user on the
local machine can claim to be 'root' and use it. Fortunately the
default setup doesn't allow access over the network.
The client library defaults the MySQL user to be the UNIX user if
it's not specified, but that's not security, only a convenience.
Claiming to be another MySQL user different from the UNIX user is
as easy as a command-line option or an argument to mysql_connect().
Another type of user you will often encounter is web page users.
This type is a creation of a web page that has its own login code.
The list of valid users may be kept in a MySQL database, but *not*
in the MySQL privilege tables. These users are unrelated to MySQL
users and UNIX users. A web page frequently has its own MySQL login
to access the database and validate the web page users.
Gordon L. Burditt
|
|
|
|
|