From: Andrew K. <ak...@co...> - 2004-02-05 21:09:31
|
I don't believe GRANT statements are used in the Webmin interface. At least, I don't think so. I believe the mysql system tables are updated directly. Maybe I'm wrong. Perhaps the relations have somehow changed in MySQL that would cause this problem and hence the same updates done in MySQL 3 are incomplete in MySQL 4. It seems to be a problem in the "Database Permissions" form. The "User Permissions" seem to work properly. I don't have your exact environment in order to try it. Perhaps someone else has BSD with MySQL 4 installed can re-produce this problem? -Andrew Suspect wrote: >your scenario as explained was exactly right. > >The odd thing is, if I issue a grant statement via mysql itself at the CLI, >all works fine. > >It's only when adding a user to mysql via webmin that the security problem >comes in. > >Odd, to say the least. > >I am running webmin 1.30 with mysql 4.0 on FreeBSD. > > > >Today ak...@co... was all like: >** Forgive me as I cannot find the thread your original emails came under >** and was unable >** to determine the original procedures you used. To review: >** >** 1) Create user with no permissions in "/User Permissions/" under Global >** Options. >** A) Username set to "testuser" >** B) Password set ... >** C) Hosts set to any >** D) No permissions set (setting permissions here will make it global >** across all databases) >** E) Save data >** 2) Create New database permissions for the *sample* database in >** "/Database Permissions/" >** A) Choose database "sample" >** B) Fill in user "testuser" instead of anonymous >** C) Choose hosts "any" or whatever host you are logging in from >** D) Pick permissions allowed for "testuser" (select/insert/delete/etc.) >** E) Save data. >** >** This works for various incarnations of MySQL I have installed. I am >** sorry if this is >** rehashing the same information but sometimes a review helps. I know that >** your >** "user permissions" form works since you where able to login to databases >** using >** the login you created. The problem is somewhere in the "Database >** Permissions" >** form and may or may not be a bug for the particular version of MySQL you are >** using. >** >** -Andrew >** >** >** Suspect wrote: >** >** >host permissions == all/any >** > >** > >** > >** >Today ak...@co... was all like: >** >** I don't mean to beat a dead horse, but in the images, you left the >** >** option "from host permissions" >** >** in the database permissions form. Since I did not see images where you >** >** filled out host permissions >** >** I assume that these where not filled out. If you did not do this you >** >** might try changing that option to >** >** "all" hosts instead of "from host permissions". If you have already >** >done ** this and it does not work, >** >** I am at a loss. From the images you have, the database is acting >** >** appropriately. >** >** >** >** -Andrew Kornak >** >** >** >** Suspect wrote: >** >** >** >** >negative. See the other email sent to the list that includes images. >** >** > >** >** >I set the user to none/db to select etc and I can't see any of the dbs. >** >** > >** >** >I set ANY permissions for the user and all of a sudden they can see >** >all. >** >** > >** >** > >** >** > >** >** >Today ak...@co... was all like: >** >** >** Your error is in trying to set database permissions through the >** >"user ** >** permissions" instead >** >** >** of "database permissions". User permissions is global to all >** >database ** >** tables. Database >** >** >** permissions is only database specific. Change permissions in the >** >"user ** >** permissions" >** >** >** form to none. Change the "from host permissions" to "any" and >** >choose ** >the ** operations >** >** >** you want this user to have permission to use. The "from hosts >** >** >** permissions" requires >** >** >** you change host permissions which is another form. Once you change >** >** >** database permissions >** >** >** this user will be allowed to access only the database or databases >** >you ** >** choose. >** >** >** Hope this helps. >** >** >** >** >** >** -Andrew Kornak >** >** >** >** >** >** Suspect wrote: >** >** >** >** >** >** >To make things easier, I have added some screenshots with >** >explanations. >** >** >** > >** >** >** >1. http://www.reject.org/pr0ject/webmin/dbcreate.jpg create the db >** >** >** > >** >** >** >2. http://www.reject.org/pr0ject/webmin/usercreate.jpg create the >** >user >** >** >** > >** >** >** >3. http://www.reject.org/pr0ject/webmin/usercreateafter.jpg user >** >** >created, >** >** >** >but shown here with NO permissions. >** >** >** > >** >** >** >4. http://www.reject.org/pr0ject/webmin/usercreateperms.jpg I >** >added ** >** >Database >** >** >** >specific permissions for the user testuser on database sample. >** >** >** > >** >** >** >5. http://www.reject.org/pr0ject/webmin/userdbperms.jpg proof that >** >** >webmin >** >** >** >recorded the new db permissions. >** >** >** > >** >** >** >6. http://www.reject.org/pr0ject/webmin/putty.jpg logging in to >** >mysql >** >** >** >via putty with the user testuser. No databases are present. >** >** >** > >** >** >** >7. http://www.reject.org/pr0ject/webmin/webminuserperms.jpg I >** >select ** >the >** >** >** >user via webmin, and add USER permissions. >** >** >** > >** >** >** >8. http://www.reject.org/pr0ject/webmin/afteruserpermswebmin.jpg >** >Webmin >** >** >** >shows these new user permissions recorded. >** >** >** > >** >** >** >9. http://www.reject.org/pr0ject/webmin/afteruserpermsputty.jpg >** >now ** >the ** >user >** >** >** >can see and read ALL databases within mysql, even though the only >** >db >** >** >** >permissions it's supposed to have are for the sample database. >** >** >** > >** >** >** >The information blocked out is for other users, and there is no >** >** >** >Anonymous option allowed. >** >** >** > >** >** >** >Hope this helps. >** >** >** > >** >** >** > >** >** >** >Today jca...@we... was all like: >** >** >** >** Are you sure you're not seeing the effect of the 'anonymous' >** >user or >** >** >** >** database permissions? These can cause some un-expected >** >privileges ** >to be >** >** >** >** granted, and should be removed as soon as possible.. >** >** >** >** >** >** >** >** I checked the structures of the 'user' and 'db' tables in MySQL >** >4, ** >and >** >** >** >** they are the same as earlier 4.x versions which Webmin supports >** >OK. >** >** >** >** >** >** >** >** - Jamie >** >** >** >** >** >** >** >** On Tue, 2004-02-03 at 16:08, Suspect wrote: >** >** >** >** > You can grant database permissions, but no user permissions >** >and ** >it ** >fails >** >** >** >** > to read any db as that user. >** >** >** >** > >** >** >** >** > Grant any type of user permissions, and now they can read ALL >** >the ** >dbs. >** >** >** >** > >** >** >** >** > (including the mysql db) >** >** >** >** > >** >** >** >** > Make sense? >** >** >** >** > >** >** >** >** > >** >** >** >** > >** >** >** >** > Today jca...@we... was all like: >** >** >** >** > ** On Thu, 2004-01-29 at 12:10, Suspect wrote: >** >** >** >** > ** > Greetings list, >** >** >** >** > ** > >** >** >** >** > ** > Am I to assume that until further notice, Webmin will >** >NOT be ** >** >working >** >** >** >** > ** > properly with MySQL 4.0+? >** >** >** >** > ** > >** >** >** >** > ** > I've asked and submitted all sorts of stuff to the list >** >** >without ** >ever getting >** >** >** >** > ** > feedback at all. >** >** >** >** > ** > >** >** >** >** > ** > I upgraded to 4.0_17 tonite, and was able to confirm a >** >** >couple of ** >things. >** >** >** >** > ** > >** >** >** >** > ** > 1. They changed the safe_mysqld binary to mysqld_safe >** >** >** >** > ** > 2. The Grant options seem to be the same via CLI as in >** >the ** >past, ** >but Webmin >** >** >** >** > ** > fudges them somehow. >** >** >** >** > ** >** >** >** >** > ** I just installed MySQL 4.0.17 with Webmin 1.130, and it >** >seemed ** >to ** >work >** >** >** >** > ** OK, after changing the module configuration to run >** >mysqld_safe ** >** >instead >** >** >** >** > ** of safe_mysqld. >** >** >** >** > ** >** >** >** >** > ** What goes wrong with the granting of permissions? Some >** >simple ** >tests >** >** >** >** > ** worked for me .. >** >** >** >** > ** >** >** >** >** > ** - Jamie >** >** >** >** > ** >** >** >** >** > ** >** >** >** >** > ** >** >** >** >** > ** >** >** >** >** > ** ------------------------------------------------------- >** >** >** >** > ** The SF.Net email is sponsored by EclipseCon 2004 >** >** >** >** > ** Premiere Conference on Open Tools Development and >** >Integration >** >** >** >** > ** See the breadth of Eclipse activity. February 3-5 in >** >Anaheim, ** >CA. >** >** >** >** > ** http://www.eclipsecon.org/osdn >** >** >** >** > ** - >** >** >** >** > ** Forwarded by the Webmin mailing list at >** >** >** >web...@li... >** >** >** >** > ** To remove yourself from this list, go to >** >** >** >** > ** http://lists.sourceforge.net/lists/listinfo/webadmin-list >** >** >** >** > ** >** >** >** >** >** >** >** >** >** >** >** >** >** >** >** >** ------------------------------------------------------- >** >** >** >** The SF.Net email is sponsored by EclipseCon 2004 >** >** >** >** Premiere Conference on Open Tools Development and Integration >** >** >** >** See the breadth of Eclipse activity. February 3-5 in Anaheim, >** >CA. >** >** >** >** http://www.eclipsecon.org/osdn >** >** >** >** - >** >** >** >** Forwarded by the Webmin mailing list at >** >** >** >web...@li... >** >** >** >** To remove yourself from this list, go to >** >** >** >** http://lists.sourceforge.net/lists/listinfo/webadmin-list >** >** >** >** >** >** >** > >** >** >** > >** >** >** > >** >** >** >** >** >** >** >** >** ------------------------------------------------------- >** >** >** The SF.Net email is sponsored by EclipseCon 2004 >** >** >** Premiere Conference on Open Tools Development and Integration >** >** >** See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. >** >** >** http://www.eclipsecon.org/osdn >** >** >** - >** >** >** Forwarded by the Webmin mailing list at >** >** >web...@li... >** >** >** To remove yourself from this list, go to >** >** >** http://lists.sourceforge.net/lists/listinfo/webadmin-list >** >** >** >** >** > >** >** > >** >** > >** >** >** >** >** >** ------------------------------------------------------- >** >** The SF.Net email is sponsored by EclipseCon 2004 >** >** Premiere Conference on Open Tools Development and Integration >** >** See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. >** >** http://www.eclipsecon.org/osdn >** >** - >** >** Forwarded by the Webmin mailing list at >** >web...@li... >** >** To remove yourself from this list, go to >** >** http://lists.sourceforge.net/lists/listinfo/webadmin-list >** >** >** > >** > >** > > > > |