[Phpmyadmin-devel] rights of the controluser
Rabus
rabus at bugfixes.info
Wed Feb 12 07:20:02 CET 2003
Hi Marc, Garvin & list,
-----Original Message-----
From: Marc Delisle
>
> In main.php3, $dbh is used to look into the mysql.* tables.
> But if not controluser is defined, $dbh will contain
> $userlink, and, for PMA_MYSQL_INT_VERSION >= 32304 we then
> use a SHOW GRANTS to get the information. So with no
> controluser, my non-privileged user sees all his databases in
> the left pane, and he sees the Create database dialog because
> he has a wildcard db CREATE priv.
>
> So maybe we should rephrase in the doc, to talk about the
> MySQL version where the controluser really needs privs on the
> mysql db.
>
I am glad to see that you have so much trust in my SHOW GRANTS patch,
but it has its limitations:
The problem is that, in order to use SHOW GRANTS, we have to guess the
user's hostname as it appears in the user profile.
For example, you create a user 'foo'@'192.168.0.%' and logon as
'foo'@'192.168.0.123'.
In this case, phpMyAdmin sends these queries:
SHOW GRANTS FOR 'foo'@'192.168.0.123';
SHOW GRANTS FOR 'foo'@'%';
Both queries fail and MySQL would say that the user does not exist.
The SHOW GRANTS patch only works for users like 'user'@'host' or
'user'@'%' which are the most common ways to define users.
Regards,
Alexander M. Turek
<alex at bugfixes.info>
+-----------------------------+
| The phpMyAdmin Project |
| http://www.phpmyadmin.net |
| rabus at users.sourceforge.net |
+-----------------------------+
| [bugfixes.info] |
| http://www.bugfixes.info |
| rabus at bugfixes.info |
+-----------------------------+
More information about the Developers
mailing list