[dev] Fwd: Horde webmail: mysql access

Marko Djukic mdjukic at horde.org
Mon Apr 26 21:04:26 PDT 2004


> By default, You can access to these database servers, with the username:
"horde"
> and with no password, from a remote host.

This is correct if the following are true:
a) MySQL is configured (my.cnf) to listen on an external IP;
b) At least one Horde SQL script was run which contained a line similar to:
   GRANT SELECT, INSERT, UPDATE, DELETE ON scry_choices TO horde;
If MySQL does not get a 'TO horde at somehost;' instruction it will create a
default 'horde' user in the mysql.users table with a blank password and '%'
(any remote host) permission. This remote horde user will have
read/write/delete permissions to most of the apps' tables.
Doing the following would be the correct way for MySQL, limiting connections to
localhost for the existing horde user and not creating a new horde user in
mysql.users:
   GRANT SELECT, INSERT, UPDATE, DELETE ON scry_choices TO horde at localhost;

So admins setting up SQL tables using MySQL, should either not have MySQL
listening on an external IP (in my.cnf: 'bind-address = 127.0.0.1') or make
sure there's *always* an '@localhost' instruction in any GRANT statement in any
SQL script that is run.



--
Marko Djukic
Horde Project (http://horde.org)


More information about the dev mailing list