Bug #3309 | Netmask matching for 'Host' doesn't work. | ||
---|---|---|---|
Submitted: | 26 Mar 2004 17:59 | Modified: | 7 Mar 2005 19:10 |
Reporter: | Joe Rhett | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server | Severity: | S2 (Serious) |
Version: | 3.23, 4.0 and up | OS: | Any (any) |
Assigned to: | Jim Winstead | CPU Architecture: | Any |
[26 Mar 2004 17:59]
Joe Rhett
[26 Mar 2004 18:03]
Joe Rhett
FYI, using a % wildcard works perfectly fine: mysql> grant select,insert,update,delete on Test.Testy to mysql@'205.217.158.%' identified by 'removed'; Query OK, 0 rows affected (0.00 sec) $ mysql --host=testdb.isite.net --user=myself --password=removed EMail Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 310 to server version: 4.0.16 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> quit Bye
[30 Mar 2004 6:22]
Alexander Keremidarski
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.mysql.com/documentation/ and the instructions on how to report a bug at http://bugs.mysql.com/how-to-report.php Additional info: user@hostname syntax in MySQL was never intended to support network masks and If you check with manual you will see nothing there implies support of any kind of netmasks or hostmasks. The only (very limited) way to specify range of names or IP addresses is to use wildcards as you already know. '205.217.156.0/255.255.252.0' is treated as a String and such String makes no sense as an IP address nor as a fully qualified domain name.
[30 Mar 2004 8:57]
Dean Ellis
As we do mention support for this: http://www.mysql.com/doc/en/Connection_access.html we do need to re-test this.
[30 Mar 2004 9:26]
Alexander Keremidarski
Sorry Joe, My reply is wrong. Manual clearly states this is supported. As Dean says we need to test it more and see if it is bug in source or documenation problem. Thanks for pointing this to us!
[31 Mar 2004 10:48]
Joe Rhett
Um, yeah. I got the idea from your documentation. Actually, I originally got the idea from the 'MySQL' red book, which claimed that CIDR style netmasks (/22) were possible. But when that didn't work and I couldn't find such a claim in the documentation, I switched to what your documentation did mention -- the spelled out netmasks.
[31 Mar 2004 15:54]
Dean Ellis
mysql> grant select,insert,update,delete on Test.Testy .... This grants access to database Test, table Testy. ERROR 1044: Access denied for user: 'myself@205.217.156.0/255.255.252.0' to database 'Testy' This shows that you have been resolved to the correct login, and do not have access to database Testy. Noting that you granted access on database Test, not Testy, I think this is not a bug. Please update us if you correct this and still encounter difficulties.
[31 Mar 2004 16:23]
Paul DuBois
Just an additional note. The red book did indeed discuss the use of CIDR netmasks, because that was the original syntax. After the book was published, the syntax as changed. See the entry for page 457 here: http://www.kitebird.com/cgi-perl/errata.pl?book=mysql-00-4
[31 Mar 2004 19:24]
Joe Rhett
What you saw was a bit of bad editing on my part. The real database and table names were changed to protect the not-so-innocent. Did you actually try to replicate the bug, or did you just look at my syntax? Please try and replicate the bug.
[31 Mar 2004 19:26]
Joe Rhett
You'll also see another bit of bad editing -- user 'mysql' instead of 'myself'. Just another mistype. It's not in the original problem. I'd be happy to send you the original sessions in any forum which isn't public.
[15 Feb 2005 12:23]
MySQL Verification Team
I reopened this bug report, here is some more info: C:\MySQL\MySQL4_1_9\bin>mysql -h195.225.130.68 -uvita -pvitapassword vita ERROR 1044 (42000): Access denied for user 'vita'@'195.225.130.0/255.255.255.0' to database 'vita' C:\MySQL\MySQL4_1_9\bin>mysql -h195.225.130.68 -uvita -pvitapassword Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 to server version: 4.1.9-nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> select current_user(); +----------------------------------+ | current_user() | +----------------------------------+ | vita@195.225.130.0/255.255.255.0 | +----------------------------------+ 1 row in set (0.00 sec) mysql> show grants for 'vita'@'195.225.130.0/255.255.255.0'; +------------------------------------------------------------------------------- ------------------------------------------------+ | Grants for vita@195.225.130.0/255.255.255.0 | +------------------------------------------------------------------------------- ------------------------------------------------+ | GRANT USAGE ON *.* TO 'vita'@'195.225.130.0/255.255.255.0' IDENTIFIED BY PASSW ORD '*272422A9CF8DBCAAEE6F224C0E9EBA809D43FFC3' | | GRANT SELECT ON `vita`.`t1` TO 'vita'@'195.225.130.0/255.255.255.0' | +------------------------------------------------------------------------------- ------------------------------------------------+ 2 rows in set (0.00 sec) mysql> select * from vita.t1; ERROR 1142 (42000): SELECT command denied to user 'vita'@'195.225.130.68' for ta ble 't1'
[3 Mar 2005 21:20]
Jim Winstead
Pushed, will be in 4.1.11 and 5.0.3.
[4 Mar 2005 1:42]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/internals/22640
[7 Mar 2005 19:10]
Paul DuBois
Noted in 4.1.11, 5.0.3 changelogs.