Bug #6928 config wizard doesn't completely remove the anonymous user
Submitted: 1 Dec 2004 22:39 Modified: 3 Dec 2004 22:49
Reporter: Harrison Fisk Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Installing Severity:S2 (Serious)
Version:4.1.7 OS:Windows (Windows 2000)
Assigned to: Michael G. Zinner CPU Architecture:Any

[1 Dec 2004 22:39] Harrison Fisk 
Description:
The configuration wizard doesn't completely remove the anonymous user if you leave the box unchecked.  
If you check in mysql.db after the wizard runs you still have ""@% with access to the test database.

This is even more problematic because you can't remove those privileges thru MySQL Administrator since the top user is removed by the Wizard.

This allows anyone to still manipulate the test database which isn't good for security.

How to repeat:
Run configuration wizard through the default settings, leaving the Allow anonymous user box unchecked.

Check mysql.db afterwords, notice it is still there.

Suggested fix:
Remove the anonymous user from mysql.db as well.
[3 Dec 2004 22:49] Michael G. Zinner 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html