Bug #36447 | Administrator allows Full Access to the Startup Variables for any User | ||
---|---|---|---|
Submitted: | 1 May 2008 8:34 | Modified: | 4 Jun 2008 12:36 |
Reporter: | Steffen Hösel | Email Updates: | |
Status: | No Feedback | Impact on me: | |
Category: | MySQL Administrator: Docs | Severity: | S2 (Serious) |
Version: | 1.2.12 | OS: | Windows (XP or Vista) |
Assigned to: | CPU Architecture: | Any |
[1 May 2008 8:34]
Steffen Hösel
[1 May 2008 11:54]
Sveta Smirnova
Thank you for the report. According to http://dev.mysql.com/doc/administrator/en/mysql-administrator-service-control-configure-se... you would be able to edit configuration file if run MySQL Administrator as Windows user who has access to the configuration file. But this is not very clear from this page. So I reclassify this report to documentation.
[4 May 2008 12:36]
Stefan Hinz
The bug report mixes up a number of loosely related things: - Generally, user authentication is done on the MySQL server. That is, if there's a user account *on the server* that has administrative privileges, and you're connecting with that account from MySQL Administrator to the server, you can naturally do all the things that that server administrator is able to do (including shutting down the server if that administrator has the SHUTDOWN privilege). This is neither a flaw in MySQL Administrator nor in MySQL Server, and is thoroughly explained in the DBA chapter of the MySQL Manual. - Changing the server's option file (my.cnf or my.ini) can only be done on a local machine, that is, the machine that MySQL Administrator runs on. This is explained in the MySQL Administrator manual. - Changing the option file can only be done if the (operating system) user has file privileges for that file. This is explained in the DBA chapter of the MySQL Manual. - @ bug verifier: The last item is not a question of the operating system that MySQL Server runs on. Under Unix, my.cnf is often located in /etc/ which is normally writable only for the Unix root user. On Windows, MySQL is often installed using a non-privileged account which, in effect, results in everything in the installation directory (including my.ini) being writable for any user on that computer. The Installing & Upgrading chapter of the MySQL Manual explains that this shouldn't be done, but if the advice isn't followed there's no way for MySQL to keep anyone (including anyone who runs MySQL Administrator on that computer) to change my.ini. To conclude, I don't see a need to add anything to the MySQL documentation (MySQL Reference Manual or MySQL Administrator manual). If you think otherwise, please explain *exactly* what should be added, and where, to make things more clear.
[4 Jun 2008 23:00]
Bugs System
No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open".