Mysql – Create user for alternate port

MySQLmysql-5.5

I am running a private MySQL instance on WebFaction

WebFaction is a shared host who provides both for their public MySQL instance and for your own private MySQL instance. The private instance is a 1-click install using their system which then provides a root user and port to you. The public instance is always just localhost, and the private instance is localhost:port.

What is the proper way to set up a user for that private instance?

CREATE USER 'user'@'localhost:port' IDENTIFIED BY 'password';
CREATE USER 'user'@'localhost' IDENTIFIED BY 'password';
CREATE USER 'user'@'%' IDENTIFIED BY 'password';

Does it matter?

I'm running into an issue trying to set up a Simplified Machines forum instance. The SMF forum will connect to localhost just fine, and it seems to connect to localhost:port okay (at the point in code where it makes the connection to the DB, it is successful), but then will only read and write to localhost and not localhost:port.

I have successfully created a db user which can connect to, read, and write via localhost:port, but refuses to do so via SMF.

Any thoughts?

Best Answer

Here is what I did:

CREATE USER 'myuser'@'localhost' IDENTIFIED BY 'mypass';
CREATE USER 'myuser'@'%' IDENTIFIED BY 'mypass';

GRANT ALL ON *.* TO 'myuser'@'localhost';
GRANT ALL ON *.* TO 'myuser'@'%';

In the php.ini: mysql.default_port = <private instance port>

In the forum settings, set database host to: 127.0.0.1

Related Solutions

MySQL – Creating a user and specifying a password

Your syntax is the good one :

[root@localhost] [(none)] mysql> CREATE USER 'foo'@'2.2.2.2' IDENTIFIED BY 'bar';
Query OK, 0 rows affected (0.00 sec)

You can see if your user is created by using :

[root@localhost] [(none)] mysql> show grants for 'foo'@'2.2.2.2';
+----------------------------------------------------------------------------------------------------------+
| Grants for foo@2.2.2.2                                                                                   |
+----------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'foo'@'2.2.2.2' IDENTIFIED BY PASSWORD '*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB' |
+----------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

But it'll work only if you connect from 2.2.2.2.

Max.

Mysql – About GRANT statement for user creation

Let's look at the way you created the user.

EXAMPLE : I have a database called zipcodes. I will create a user called rolando

mysql> grant all on zipcodes.* to rolando identified by 'blahblah';
Query OK, 0 rows affected (0.04 sec)

mysql> show grants for rolando;
+--------------------------------------------------------------------------------------------------------+
| Grants for rolando@%                                                                                   |
+--------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'rolando'@'%' IDENTIFIED BY PASSWORD '*446525BB82B5E22BD9E525261D37C494F623C52B' |
| GRANT ALL PRIVILEGES ON `zipcodes`.* TO 'rolando'@'%'                                                  |
+--------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

I specified rolando without an IP or netblock. By defualt, '%' is used. That should allow remote IP address to login.

You said you tried to login to your account with

 mysql -u violetkiwi -p

Why did this not work? Simply put, you were not connecting remotely. You created the user violetkiwi@'%'. You should create the user violetkiwi@localhost. Then, it can cleanly connect.

You need to make sure your mysql authentication scheme has been cleaned up

MySQL 5.0 Certification Study Guide says on Page 498 Paragraph 6 in its bulletpoints brings out how to cleanup the authentication process:

On Unix, MySQL comes with a mysql_secure_installation script that can perform several helpful security-related operations on your installation. The script has the following capabilities:

Set a password for the root accounts

Remove any remotely accessible root accounts.

Remove the anonymous user accounts. This improves security because it prevents the possibility of anyone connecting to the MySQL server as root from a remote host. The results is that anyone who wants to connect as root must first be able to log in on the server host, which provides an additional barrier against attack.

Remove the test database (If you remove the anonymous accounts, you might also want to remove the test database to which they have access).

A remotely accessible account is an account whose host is % which allows anyone and his grandmother. To find those accounts, run this query:

SELECT user,host FROM mysql.user WHERE host='%';

You should also be cognizant of how MySQL user authentication occurs.

According to MySQL 5.0 Certification Study Guide pages 486,487, the following describes mysql's authentication algorithm:

There are two stages of client access control:

In the first stage, a client attempts to connect and the server either accepts or rejects the connection. For the attempt to succeed, some entry in the user table must match the host from which the client connects, the username, and the password.

In the second stage (which occurs only if a client has already connected sucessfully), the server checks every query it receives from the client to see whether the client has sufficient privileges to execute it.

The server matches a client against entries in the grant tables based on the host from which the client connects and the user the client provides. However, it's possible for more than one record to match:

Host values in grant tables amy be specified as patterns contains wildcard values. If a grant table contains entris from myhost.example.com, %.example.com, %.com, and %, all of them match a client who connects from myhost.example.com.

Patterns are not allowed for the User values in grant table entries, but a username may be given as an empty string to specify an anonymous user. The empty string matches any username and thus effectively acts as a wildcard.

When the Host and the User values in more than one user table record match a client, the server must decide which one to use. It does this by sorting records with the most specific Host and User column values first, and choosing the matching record that occurs first in the sorted list, Sorting take place as follows:

In the Host Column, literal values such as localhost, 127.0.0.1, and myhost.example.com sort ahead of values such as %.example.com that have pattern characters in them. Pattern values are sorted according to how specific they are. For example, %.example.com is more specific than %.com, which is more specific than %.

In the User column, non-blank usernames sort ahead of blank usernames. That is, non-anonymous users sort ahead of anonymous users.

The server performs this sorting when it starts. It reads the grant tables into memory, sorts them, and uses the in-memory copies for access control.

SUMMARY

If you have any users that must have remote access, change the host of each user that has % into the public IP you will be connecting from.

For example, if the user myuser must connect from 208.21.42.184, replace the host like this

UPDATE mysql.user SET host='208.21.42.184' WHERE user='myuser' AND host='%';
FLUSH PRIVILEGES;

You should also be checking for the presence of any test databases. The presence of test databases. Any database named test or whose first five(5) characters are test_ need to be renamed immediately !!! I wrote an earlier post on how and why.

Best Answer

Related Solutions

MySQL – Creating a user and specifying a password

Mysql – About GRANT statement for user creation

SUMMARY

Related Question