Bug #27692 anonymous accounts not created
Submitted: 6 Apr 2007 23:30 Modified: 30 Oct 2007 23:45
Reporter: Giuseppe Maxia Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Installing Severity:S3 (Non-critical)
Version:5.0.37,5.0.38,5.1.17 OS:Linux
Assigned to: Jonathan Perkin
Tags: anonymous account, install

[6 Apr 2007 23:30] Giuseppe Maxia
Description:
Until version 5.0.36 and 5.0.15, the installation tools created two anonymous accounts, as described in the manual.

http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html

In the latest versions, these accounts are missing. Check the difference between  5.0.36 and 5.0.38

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.36-enterprise-gpl-log MySQL Enterprise Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select host,user,password from mysql.user;
+-----------+------+----------+
| host      | user | password |
+-----------+------+----------+
| localhost | root |          | 
| hostname% | root |          | 
| 127.0.0.1 | root |          | 
| localhost |      |          | 
| hostname% |      |          | 
+-----------+------+----------+
5 rows in set (0.00 sec)

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.38-enterprise-gpl-log MySQL Enterprise Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select host,user,password from mysql.user;
+-----------+------+----------+
| host      | user | password |
+-----------+------+----------+
| localhost | root |          | 
| hostname  | root |          | 
| 127.0.0.1 | root |          | 
+-----------+------+----------+
3 rows in set (0.00 sec)

How to repeat:
1) install a tar.gz binary package. 
2) Run the mysql_install_db script
3) execute this query:
   select host,user,password from mysql.user;

Alternatively, 
1) cd  $basedir/mysql-test 
2) ./mysql-test-run.pl --start-and-exit alias
3) mysql -S var/tmp/master.sock --user=root --password= \
   -e "select host,user,password from mysql.user"
[30 Jun 2007 22:55] KimSeong Loh
On top of that, the anonymous user is still being created in the mysql.db table without being created in the mysql.user table.

Having the user created in the db table without the corresponding user in the user table can cause some unpredictable problem.
1. the anonymous user ''@'%' cannot be created.
2. all users may have privileges to the test and test\_% databases due to the anonymous user privileges in the db table
[21 Aug 2007 14:50] Jonathan Perkin
Looks to have been removed in ChangeSet 1.2392.22.3, have pinged msvensson regarding the change.
[24 Aug 2007 11:09] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/33018

ChangeSet@1.2491, 2007-08-24 13:08:50+02:00, jperkin@production.mysql.com +2 -0
  Restore creation of test databases and the anonymous user which
  were accidentally removed during a previous rototill of this
  code.  Fixes bug#27692.
  
  While it can be argued we should strive to provide a 'secure by
  default' installation, this happens to be the setup currently
  documented in the manual as the default, so defer changes that
  improve security out of the box to a co-ordinated effort later
  on.
  
  For now, make a note about the test databases and anonymous user
  in mysql_install_db and recommend that mysql_secure_installation
  be ran for users wishing to remove these defaults.
[4 Oct 2007 9:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34881

ChangeSet@1.2531, 2007-10-04 11:30:30+02:00, jperkin@production.mysql.com +3 -0
  Restore creation of test databases and the anonymous user which
  were accidentally removed during a previous rototill of this
  code.  Fixes bug#27692.
    
  While it can be argued we should strive to provide a 'secure by
  default' installation, this happens to be the setup currently
  documented in the manual as the default, so defer changes that
  improve security out of the box to a co-ordinated effort later
  on.
    
  For now, make a note about the test databases and anonymous user
  in mysql_install_db and recommend that mysql_secure_installation
  be ran for users wishing to remove these defaults.
  
  [..re-commit of previously lost change..]
[5 Oct 2007 17:56] Bugs System
Pushed into 5.1.23-beta
[5 Oct 2007 17:59] Bugs System
Pushed into 5.0.52
[30 Oct 2007 23:45] Paul Dubois
Noted in 5.0.52, 5.1.23 changelogs.
[30 Nov 2007 17:57] Joerg Bruehe
The fix for this is also contained in the community release 5.0.51.
[30 Nov 2007 18:15] Paul Dubois
Noted in 5.0.51 changelog.