Using MySQL 5.5 on Arch Linux, when I create a localhost user with a password and give it all privileges to all tables and then delete that user, I can still login as that user without typing in a password.
Steps to reproduce:
# mysql -u root -h localhost -p
Enter password: <root password>
mysql> create user 'test'@'localhost' identified by 'testing123';
mysql> grant all on *.* to 'test'@'localhost' identified by 'testing123';
mysql> select * from mysql.user where user='test';
1 row in set (0.00 sec)
mysql> exit
# mysql -u test -h localhost -p
Enter password: testing123
mysql> show databases;
mysql> exit
# mysql -u root -h localhost -p
Enter password: <root password>
mysql> delete from mysql.user where user='test';
Query OK, 1 row affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
mysql> select * from mysql.user where user='test';
Empty set (0.00 sec)
mysql> exit
# mysql -u test -h localhost
mysql> (Why?)
Not only that, but the "non-existing" test user can still exercise all of the same privileges. Major security problem. If I restart the server, it still lets me login without a pas开发者_开发技巧sword.
I finally figured out what was happening. By default, in the user table there is an anonymous user @ localhost. This user is automatically matched with any attempted username and logged in as that anonymous user. Kind of strange, I know. To get rid of the anonymous user, login as root and perform the following command:
drop user ''@localhost;
精彩评论