I accidentally did something a bit stupid and typed this into the mysql console:
mysql> grant all on myDB.* to root#'%' identified by 'root';
... and the db configuration is open to remote logins. Now I need to remove this grant but don't want to accidentally revoke all privileges for my root user and effectively lock myself out of the db as the db admin. What should I do?
First, verify that your root#localhost and/or root#127.0.0.1 users have access.
SHOW GRANTS FOR root#localhost;
SHOW GRANTS FOR root#127.0.0.1;
You should see within the result set a line like GRANT ALL PRIVILEGES ON *.* to... Assuming that entry exists, you can safely remove the grant for root#'%' from the mysql database:
REVOKE all on myDB.* from root#'%';
FLUSH PRIVILEGES;
Assuming you don't want the root#'%' user to exist either:
DROP USER root#'%';
Use:
SHOW GRANTS FOR 'root'#'%';
To see all the permission that root has.
Then, to remove specific permissions:
REVOKE SELECT FROM root#'%'
There's more here.
one thing you can do is to go through mysql.user to remove the offending line only, and flush privileges
Related
MySQL v8
command line and with phpmyadmin
I am logged into mysql as root (FULL Privileges) and I am trying to assign ALL privileges on a specific database to a user.
It gives them all privileges but DOES NOT allow Administration GRANT on the database (See Attached)
This is the same result for direct command line or phpmyadmin
Any ideas please?
Thanks in advance
P
You must GRANT ALL PRIVILEGES ... WITH GRANT OPTION.
That means you grant all the privileges to the target user, as well as the privilege to grant those privileges to others.
Read https://dev.mysql.com/doc/refman/8.0/en/grant.html:
The optional WITH clause is used to enable a user to grant privileges
to other users. The WITH GRANT OPTION clause gives the user the
ability to give to other users any privileges the user has at the
specified privilege level.
To grant the GRANT OPTION privilege to an account without otherwise
changing its privileges, do this:
GRANT USAGE ON *.* TO 'someuser'#'somehost' WITH GRANT OPTION;
This error happened when I granted all privileges to a new root account I just created.
Steps to produce the problem:
CREATE USER 'root'#'localhost';
GRANT ALL PRIVILEGES ON *.* TO 'root'#'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
SHOW GRANTS for 'root'#'localhost';
After "show grants" I got the error "mysql there is no such grant defined for user 'root' on host 'localhost'". There were no errors after executing the first three commands. The new user was created successfully.
How do I solve this problem?
More info:
I'm running MySQL 5.7 on my MacOS laptop(OSX 10.10.5).
There is nothing wrong with your posted code but as guess try with wildcard symbol % like
SHOW GRANTS for 'root'#'%';
(OR)
As an alternative, login with your created user 'root'#'localhost' and just use SHOW GRANTS. See Documentation
I don't think mysql allows you to create another root account. So the create causes an error.
CREATE USER 'root'#'localhost';
ERROR 1396 (HY000): Operation CREATE USER failed for 'root'#'localhost'
You should check for the existing root account in the user table and you'll find the wildcard to be '%' which should mean you do not need to create a localhost root user.
select * from user where user = 'root';
Asking to show grants on root localhost should work, and does work for me.
show grants for 'root'#'localhost';
Step-1:
sudo mysql -u root -p
Step-2:
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'user name'#'localhost';
Ex.-
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'admin'#'localhost';
Step-3:
FLUSH PRIVILEGES;
I think it will work.
Oddly enough it seems my mysql will not allow creating a user with access to a specific database. Using MySQL Workbench:
CREATE USER 'testUser'#'localhost' IDENTIFIED BY 'thepasswordhere';
GRANT ALL PRIVILEGES ON testDatabaseName TO 'testUser'#'localhost' WITH GRANT OPTION;
SHOW GRANTS;
I see nothing mentioning granted privileges for the created user. This explains why I get mysqli::mysqli(): (28000/1045): Access denied for user 'testUser'
What step am I missing?? Update: Even when I mistype the username I still get a success with 0 rows affected: GRANT ALL PRIVILEGES ON testDatabaseName TO 'testkUser'#'%' WITH GRANT OPTION; so I think something's seriously wrong with my local mysql. Any ideas on a fix?
CREATE USER 'testUser'#'localhost' IDENTIFIED BY 'thepasswordhere';
GRANT ALL PRIVILEGES ON testDatabaseName.* TO 'testUser'#'localhost' WITH GRANT OPTION;
SELECT sql_grants FROM common_schema.sql_show_grants;
What changed? I simply added a .* after database name. It's necessary so the user has access to all tables inside the database.
Also for the latest mysql, I believe you need to put user password when using grant.
So do as follows:
CREATE USER 'testUser'#'localhost' IDENTIFIED BY 'thepasswordhere';
GRANT ALL PRIVILEGES ON testDatabaseName.* TO testUser#localhost IDENTIFIED BY 'pass' WITH GRANT OPTION;
FLUSH PRIVILEGES;
SELECT sql_grants FROM common_schema.sql_show_grants;
As mentioned by Michael in the question comments:
SHOW GRANTS FOR 'testUser'#'localhost';... otherwise, SHOW GRANTS;
shows your privileges -- the ones associated with the account that is
currently logged in.
From the control panel of my website I have created a new MySQL(5) database Test and a new user admin with password 123. I have tried assigning privileges to the user admin using:
GRANT ALL PRIVILEGES ON *.* TO 'admin'#'localhost'
or
GRANT ALL PRIVILEGES ON *.* TO 'admin'#'Test'
I keep getting the following error:
#1045 - Access denied for user 'admin'#'%' (using password: YES)
I need the following privileges for the user admin:
CREATE, ALTER, DELETE, INSERT, SELECT, UPDATE, LOCK TABLES
How do I make that in a query from phpMyAdmin?
I guess you are trying to change privileges of 'admin'#''%' being logged in as that user. This is strange.
You can display which user you are logged in as using
SELECT USER();
Then check grants that account already has:
SHOW GRANTS FOR 'admin'#''%';
We came to the conclusion you have
GRANT ALL PRIVILEGES ON `Test`.* TO 'admin'#'%'
That says you already have all privileges on all tables in database Test. You cannot further grant those privileges to other users, though (otherwise there would be WITH GRANT OPTION).
During the installation of MySQL, root user is always created. Use it to grant privileges to other accounts.
More info in manual:
2.10.2. Securing the Initial MySQL Accounts
6.3.2. Adding User Accounts
After run these statements try to execute FLUSH:
FLUSH PRIVILEGES;
From MYSQL Reference Manual :
(...) If you change the grant tables directly but forget to reload them, your changes have no effect until you restart the server. This may leave you wondering why your changes do not seem to make any difference!
To tell the server to reload the grant tables, perform a flush-privileges operation. (...)
Login as a root user then grant all privileges to admin user.
GRANT ALL PRIVILEGES ON `test`.* TO 'admin'#'localhost';
From: http://dev.mysql.com/doc/refman/5.0/en/drop-database.html
...when a database is dropped, user privileges on the database are not automatically dropped.
So the question becomes, how do you revoke all privileges for all users on a MySQL DB? I imagine it's simple, but I'm surprised I haven't been able to find this anywhere.
REVOKE ALL PRIVILEGES ON *.* FROM '<user_name>'#'localhost';
REVOKE ALL PRIVILEGES ON *.* FROM '<user_name>'#'%';
Eg.:
REVOKE ALL PRIVILEGES ON *.* FROM 'jeffrey'#'localhost';
REVOKE ALL PRIVILEGES ON *.* FROM 'jeffrey'#'%';
You can revoke all privileges for a specific user with this syntax:
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...
FLUSH PRIVILEGES;
which drops all global, database, table, column, and routine privileges for the named user or users
Not sure if there's a way to do this for all users at once, though.
REVOKE ALL PRIVILEGES FROM '%'#'%';
The above could be dangerous as i suppose it will delete all the privileges from all the users including root
Modify it to:
REVOKE ALL PRIVILEGES FROM 'user'#'localhost';
or
REVOKE ALL PRIVILEGES FROM 'user'#'%';
before execute
I suppose you can do:
REVOKE ALL PRIVILEGES FROM '%'#'%';
FLUSH PRIVILEGES;
(Don't modify MySQL tables directly)