Bug #43290 Remove the mysql anonymous user
Submitted: 1 Mar 2009 16:18 Modified: 1 Mar 2009 17:20
Reporter: Morgan Tocker Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:6.0+ OS:Any
Assigned to: CPU Architecture:Any

[1 Mar 2009 16:18] Morgan Tocker
Description:
In authenticating a user connecting to the server, there is a chance that they may match the "anonymous user" before matching their own user.

I'm requesting that this functionality be disabled in an upcoming release - since it causes more headaches for users than problems it solves.

How to repeat:
mysql> SELECT USER(), CURRENT_USER();
+-----------------+----------------+
| USER()          | CURRENT_USER() |
+-----------------+----------------+
| user1@localhost | @localhost     | 
+-----------------+----------------+

Note the empty current user.
See also: http://dev.mysql.com/doc/refman/5.1/en/account-activity-auditing.html

Suggested fix:
I don't want this fixed via an SQL mode preventing creation of an empty user.  I think it's more important for forward compatibility that the empty rows can still be present in the table, but are ignored.

This change in behavior should be enabled by default (incompatible change) unless a server option (such as --i-want-it-oldskool) is enabled at startup.
[1 Mar 2009 17:20] Valeriy Kravchuk
Thank you for the reasonable feature request.
[8 Oct 2014 1:04] Morgan Tocker
This FR can be closed (5.7 sufficiently solves this).