[thelist] Apache on Win32

David Altherr einstein314 at hotmail.com
Thu Aug 16 16:15:38 CDT 2001


Or, avoiding the REVOKE syntax, even simpler solutions would be:

to set all the host to localhost:
UPDATE mysql.user SET host='localhost';

or to simply remove the users not validated against localhost (REVOKE does
not remove the user):
DELETE FROM mysql.user WHERE host!='localhost' AND host!='127.0.0.1';

be careful with the last one; make sure you have your user or root user
explicitly validated against 'localhost' before running 'FLUSH PRIVILEGES';

-David Altherr



> Beau,
>     While you can manipulate the privs tables manually, the prefered
method
> (assuming MySQL version > 3.22.11) is to let MySQL handle the tables with
> the GRANT and REVOKE syntax.  In order to disallow the default root user
as
> well as any other user validated against any host ('%') or validated
against
> a host other than 'localhost' you would use the REVOKE syntax as follows:
>
> REVOKE all ON *.* FROM 'user_name'@'host_name';
> REVOKE GRANT OPTION ON *.* FROM 'user_name'@'host_name';
>
> The second statement is somewhat redundant given that a MySQL user can
only
> grant his/her current privileges but for consistency, it will set the 'Y'
> value under the user.Grant_priv column to 'N'.  Note that the 'host_name'
> must be explicitly specified, for the '%' wildcard is treated simply as a
> literal string in the table, e.g. if you have 'user_name' validated aginst
> '%' and 'foohost' and then run the REVOKE against 'user_name'@'%' then the
> statement will only modify the privileges for the '%' entry and not the
> 'foohost' entry.  Remember that while the tables have been updated,
> privilege changes do not take effect until the mysqld is restarted or you
> run the 'FLUSH PRIVILEGES;' statement.
>
> Note that disallowing access to any other host than 'localhost' in MySQL
> will only prevent others from accessing the database via the command line
> monitor or a script running on another machine.  When accessing MySQL from
a
> PHP installation on the same machine, PHP will login to MySQL under
> 'localhost' and not the host of the user accessing the PHP script through
> the Apache server; to deny access through this route, modifying the Apache
> configuration files is the best method as described in the previous reply.
>
> You can also authenticate against the user's IP address in PHP with the
> $REMOTE_ADDR variable, or $HTTP_SERVER_VARS["REMOTE_ADDR"] if you have
> global vars turned off.
>
> For more information on user privilege manipulation in MySQL:
> http://www.mysql.com/doc/G/R/GRANT.html
>
> -David Altherr
>
>
> > Thank you Michael. I've made this change to Apache's httpd.conf file.
> >
> > Is there a similar entry for mysql? After reading the manual, I've
entered
> > this line in the mysql.ini file:
> >
> > bind-address=127.0.0.1
> >
> > I'm hoping that this will help keep unwanted visitors out. The other
thing
> I
> > did in mysql was to edit the entries in the User table to deny access to
> > anything from anyone except root on localhost. I didn't know if it was
any
> > better to completely delete each instance, or just replace the "Y"s with
> > "N"s. Is there a preferred way to do this?
> >
> > BTW, I never realized how convenient it is to have a local development
> > server. I was used to the save, upload, reload routine... Now in
HTML-kit
> > (after I mapped my htdocs directory to http://localhost/) all I have to
do
> > is press f12!
> >
> > Thanks again,
> >
> > Beau
> >
> > -----Original Message-----
> > From: thelist-admin at lists.evolt.org
> > [mailto:thelist-admin at lists.evolt.org]On Behalf Of Michael Pemberton
> >
> >
> > In the httpd.conf file, you will find the following lines in the
> <directory
> > "YOURWEBDIR"> section:
> >
> >     Order allow,deny
> >     Allow from all
> >
> > By changing them to read:
> >
> >     Order deny,allow
> >     Allow from 127.0.0.1
> >
> > If you have another network IP (intranet), itis possible that your
browser
> > will identify itself by this.  Also add
> >
> >     Allow from XXX.XXX.XXX.XXX (your network IP)
> >
> > you should now have a server that can only be accessed using
"localhost".
>
>
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !
>




More information about the thelist mailing list