Disable access for database - mysql

I created a MySQL server. Now the user login has access to all databases. I want this user not to have access (so can't do anything) to 3 databases:
information_schema
mysql
phpmyadmin
So the user can use all databases except these 3. How can I get this done?

A brief version of how to do this (which is mostly explained in the link I posted above):
You need to REVOKE that user's GLOBAL privileges - this is because MySQL's privilege system is top-down. If they have a GLOBAL privilege to SELECT then that applies to all of your databases
You then need to GRANT the correct privileges on the ones it does need access to (you can use wildcards for this)
It's important to note that MySQL does not have any concept of a "DENY" privilege.

Related

How can I restrict a certain user to one table in a MySQL database

My database is a standard MySQL database provided to me by my web hosting company.
I have tried to issue this GRANT command that grants SELECT, INSERT, and UPDATE privileges to the specified user on the specific table.
GRANT select, insert, update ON database.table TO RestrictedUser
For some reason, this is kicking back this error.
#1142 - GRANT command denied to user 'adminuser'#'localhost' for table 'tablename'
I am using PHPMyAdmin that my hosting company provides so I should have full admin privs correct?
Note- I've edited out the actual table names for security purposes.
You probably don't have GRANT privilege if you're working in a shared multitenant MySQL database. Your next move is to open a support ticket with your hosting company asking them how to do what you're trying to do.
Don't be too surprised if they say, "we don't allow that." Running large-scale multitenant MySQL instances is a risky business, and restricting the privileges of user accounts is one way hosting companies, especially the inexpensive ones, mitigate that risk.

MySQL Restrict user to register only one database

I am Stuck at a point where Requirement is :
I have created new user in mysql with insert,delete,update,select & create permission now i want if someone register database with this new user he should only able to register only one DATABASE from my list of databases ....
Restrict new user to register only one Database .... from my db list....
Thanks
Are you asking how you do this via script? In MySQL Admin you can grant rights by Database/Schema and a user can only connect to the database he has at least the right to SELECT.
If you want to do it without GUI you can do it by command line. From the docs (http://dev.mysql.com/doc/refman/5.1/en/grant.html):
GRANT SELECT, INSERT ON mydb.* TO 'someuser'#'somehost';
The command above grants SELECT and INSERT on the database "mydb" for the user "someuser" that tries to connect from "somehost" for all tables contained in the database. Of course you can set rights in more Detail, for single tables for example or to grant the right to connect from any host.
Or are you looking for a way to do this via phpmyadmin? Also there you can grant rights by database or overall but as I experienced you have to look closely sine do not see this right away and sometimes set the rights for all databases by accident.
Probably the best way is to take away all rights and then start from scratch so you do not miss to remove any (works for MySQL 4.1.2 and newer)
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user
REVOKE INSERT ON SOMEDB.* FROM 'username'#'USER_IP';

MySQL Root User

I was trying to create a very simple MySQL event and realized the action was not running. I then realized that the user I was using did not have super privileges (or any other event-related privileges). I tried granting all privileges to this user via phpMyAdmin but that wasn't working (makes since because I was logged in as that user and not the root user). In fact, I'm not sure if my account has a root user. How do I find out who the root user is (username and password)?
I'm using a hosting provider that has cpanel and when I look at a list of my mysql users I only see the ones I created. Is there a way I can find out via phpMyAdmin if I'm logged in as another user?
Also, whenever I create a user in cpanel, I always select the checkbox to grant "all privileges" but I found out just now that super priviledge and a few other privileges are not on the list. As far as I can tell, I won't be able to create any mysql events since I can't grant super privileges to any of my users.
Addition:
When assigning a user to a database, the only privileges I can select from are
ALTER
ALTER ROUTINE
CREATE
CREATE ROUTINE
CREATE TEMPORARY TABLES
CREATE VIEW
DELETE
DROP
EXECUTE
INDEX
INSERT
LOCK TABLES
REFERENCES
SELECT
SHOW VIEW
TRIGGER
UPDATE
From what everyone is saying in their answers it looks like I'm using a shared database, the event schedule is either turned off and/or I am not allowed to grant users privileges dealing with events. Kind of sucks..
But for now I will use cron jobs.
Rule of thumb: Your application never, ever needs superuser privileges.
Not even to use the event system.
The only thing you need SUPER for in this instance is to enable or disable the scheduler (which is a server-wide setting). If you're on a shared database host, it will be up to the provider whether or not the scheduler is enabled, and whether you've been granted the EVENT privilege on your database(s).
If you're not on a shared host, check your my.ini for the event-scheduler line and make sure it's enabled. Then, make sure you've granted EVENT to your application userid. The EVENT privilege should be granted if you've used GRANT ALL PRIVILEGES on the database (as opposed to on individual tables).
You'll need to contact your hosting provider and ask for event-related privileges for your account. They most likely store all their user databases under the same MySQL server, so for obvious security reasons root access can't be granted.
select user() would tell you the login that the query's executing under.
However, you should NOT grant 'super user' privileges to any code that handles DB operations for public-facing code. For proper security, public-facing DB code SHOULD have the minimum privileges required to get the job done. Usually that would update/insert/delete/select only.
Granting things like drop/alter/create/grant/etc... is just asking for trouble.
I was trying to create a very simple MySQL event and realized the action was not running. I then realized that the user I was using did not have super privileges
While reading this you might first implement better checking and handling for exceptions since this should release some error in your system for sure. This is a complex task requiring extensive handling of errors to see whether this goes right otherwise you will likely find yourself searching for a bug in this part for hours.

how to prevent mysql user from showing all databases

0.82sp1 running and i've noticed that every user can see all databases by invoking show databases; command. Even if i revoke all privileges for given user. Is there some setting that allows showing databases by default? How can i stop this.
DISCLAIMER: Stolen from ajreal comment
From dev.mysql:
If the server was started with the --skip-show-database option, you
cannot use this statement (SHOW DATABASES) at all unless you have the SHOW DATABASES
privilege.

MySQL can't see database

GRANT SELECT ON source_starcraft.udb_ability TO `wade`#`localhost'
When I login with wade via PHPMyAdmin I can't see the database source_starcraft. I've only executed this query and created the user prior to this query.
Here something that helped me a lot. Actually I was working with MySQL Workbench.
http://bobfield.blogspot.it/2006/10/i-cant-see-my-databases.html
Briefly, it says that if MySQL has an <anonymous> account, and you fail logging in with your user, you end up logged in as the anonymous user, without notice. To find out this you can do:
SELECT user(), current_user();
Here's why:
One important thing to note is that SELECT USER(); shows you your
current username and host. Another command, SELECT CURRENT_USER();
shows what you're authenticated as.
Indeed, in my case, user() was mylogin#localhost, current_user() was #localhost (the anon user).
If the user you logged into phpMyAdmin with does have the correct permissions to view the database, but you still can't see it, it might mean phpMyAdmin itself has been configured to not show it. This is easiest to verify by issuing a show databases; SQL query from within phpMyAdmin. If the database you are looking for shows up, the user is permitted to view it, at the least.
There are several config directives which can controls which databases are visible in phpMyAdmin's lists. If you used an automated installer or script to add phpMyAdmin to a user account, it might also have set one of only_db or hide_db. These are also described in the official phpMyAdmin documentation, which should have been included with your installation, and on the wiki.
If your user has access to change the settings, you can do it for the current session from within phpMyAdmin under "Settings" and the "Features" tab. To permanently change these settings you will need to edit config.inc.php. Its location depends on where phpMyAdmin is installed on your system.
Seems like there might me some conflict/confusion with respect to which host the permission was granted to, and which one(s) are being used.
After FLUSH PRIVILEGES to remove that possibility, I'd see which user I was being identified as once I was logged in:
SELECT user();
Note that MySQL always associates a login with the most specific host. See doc. Then compare that to what's in the privileges database.
SELECT * FROM mysql.user WHERE user='wade';
SELECT * FROM mysql.db WHERE user='wade';
To resolve the situation, either REVOKE or DELETE+FLUSH PRIVILEGES the trouble-causing conflict (being careful not to paint yourself into a corner), or GRANT more privileges to the one your user is identified as.
I had the same issue yesterday. I swap my data files HD onto another MySQL server (Same version of everything, replica brand new install same passwords as preventive maintenance). Had both root access, but I guess they are different machines and hashs for the passwords created at MySQL startup. When I listed for files, all are intact in both servers, but phpmyadmin could't see databases (just information_schema), even not available using MySQL thru shell, but files are at the right location.
When check ownership of files they where not owned by root, the owner was 'nobody', so I proceded to take ownership of the databases files at MySQL default data location using chown root:root *
So if you think that just replacing the data by swapping HDs, and beeing root in both places, with root access on both you will be happy camper. But not so quickly, you may need to check persmission and ownership of those files still to be able to list them in PHPMYADMIN
After that procedure, everything worked OK after reboot.