Bug #48286 prompt \h doesn't offer @@global.hostname
Submitted: 25 Oct 2009 7:58 Modified: 19 Feb 2010 13:44
Reporter: Kevin Benton Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:All OS:Any
Assigned to: CPU Architecture:Any

[25 Oct 2009 7:58] Kevin Benton 
Description:
mysql prompt \h or \H should offer to display @@global.hostname rather than the hostname determined by the client at start-up.  This would allow users to tunnel to remote hosts and see that remote host name as part of the prompt.  This would reduce the likelihood of issuing statements inappropriate on the wrong host.

How to repeat:
ssh to some host, then mysql -S ... or mysql -h 127.0.0.1 ... (same idea for Windows as well).  set your prompt to include the host name (\h) and see it reports only "localhost" in that part of the prompt.  This is useless.

Suggested fix:
Use the global variable hostname to fill the prompt string when it changes.
[17 Dec 2009 13:18] Susanne Ebrecht 
\h already is used for "help".

Listing global host names is a security risk. The user needs to have privileges for it.

Users, who aren't allowed to select from schema mysql should not be able to see the host names.

For getting the hostname you just need to execute either

SHOW GRANTS;

or

SELECT user();

Additionally, users from other RDBMS are already familiar with \H for HTML query output. So if we ever will implement \H then it is more user familiar to use this also for HTML query output.
[5 Jan 2010 16:29] Kevin Benton 
Suzanne,

Please see example below...  Maybe I'm a little dense, but I don't see how to keep users from being able to see @@hostname so I don't see a reason why letting them set it specifically in the PROMPT command creates more of a security risk than what is already exposed.

mysql me@localhost:mysql> grant usage on test.* to 'foo'@'%';
Query OK, 0 rows affected (0.01 sec)

mysql me@localhost:mysql>
zsh: suspended  mysql
% mysql -u foo test -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 45
Server version: 5.1.30-enterprise-gpl-advanced-log MySQL Enterprise Server - Advanced Edition (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql foo@localhost:test> select @@hostname;
+-----------------------------+
| @@hostname                  |
+-----------------------------+
| nightcrawler.ecom.sears.com |
+-----------------------------+
1 row in set (0.00 sec)

mysql foo@localhost:test> show grants;
+---------------------------------+
| Grants for foo@%                |
+---------------------------------+
| GRANT USAGE ON *.* TO 'foo'@'%' |
+---------------------------------+
1 row in set (0.00 sec)

mysql foo@localhost:test> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
+--------------------+
2 rows in set (0.00 sec)

mysql foo@localhost:test>
[5 Jan 2010 16:31] Kevin Benton 
See previous comment.
[19 Feb 2010 13:44] Susanne Ebrecht 
Ahh sorry, I misunderstood you.

Many thanks for writing a feature request.