[dev] Fwd: Horde webmail: mysql access

Jan Schneider jan at horde.org
Tue Apr 27 02:08:51 PDT 2004


Zitat von Marko Djukic <mdjukic at horde.org>:

>> By default, You can access to these database servers, with the username:
> "horde"
>> and with no password, from a remote host.
>
> This is correct if the following are true:
> a) MySQL is configured (my.cnf) to listen on an external IP;
> b) At least one Horde SQL script was run which contained a line similar to:
>    GRANT SELECT, INSERT, UPDATE, DELETE ON scry_choices TO horde;
> If MySQL does not get a 'TO horde at somehost;' instruction it will create a
> default 'horde' user in the mysql.users table with a blank password and '%'
> (any remote host) permission. This remote horde user will have
> read/write/delete permissions to most of the apps' tables.

AFAIK, only the USAGE permission gets granted for the horde user from all
hosts.

> Doing the following would be the correct way for MySQL, limiting 
> connections to
> localhost for the existing horde user and not creating a new horde user in
> mysql.users:
>    GRANT SELECT, INSERT, UPDATE, DELETE ON scry_choices TO horde at localhost;
>
> So admins setting up SQL tables using MySQL, should either not have MySQL
> listening on an external IP (in my.cnf: 'bind-address = 127.0.0.1') or make
> sure there's *always* an '@localhost' instruction in any GRANT 
> statement in any
> SQL script that is run.

At least for the mysql_create.sql script, this has been fixed in Horde
2.1-RC2 over two years ago. I didn't check all script though, and at least
category_mysql.sql in RELENG_2 has no host postfix in the GRANT statement.

Jan.

--
http://www.horde.org - The Horde Project
http://www.ammma.de - Neue Wege des Lernens
http://www.tip4all.de - Deine private Tippgemeinschaft


More information about the dev mailing list