30/06/13

An introduction to MySQL permissions DatabaseJournal.com

Free Newsletters: Database Daily

Search Database Journal:

MS SQL

Oracle

DB2

Access

MySQL

PostgreSQL

Sybase

PHP

SQL Etc

SQL Scripts & Samples

Links

Database Forum

Database Journal Home Database Articles Database Tutorials MS SQL Oracle DB2 MS Access MySQL RESOURCES Database Tools SQL Scripts & Samples Links Database Forum DBA Jobs Sitemap News Via RSS Feed

Database Journal |DBA Support |SQLCourse |SQLCourse2 Get $200 of Windows Azure free with your 1-Month Trial>Try it today Sponsored Featured Database Articles

MySQL
Feb 17, 2004

An introduction to MySQL permissions

By Ian Gilfillan MySQL newbies often have problems with the MySQL access control system. But once you get used to it, I think you will find it flexible and easy to use, so this month we're going to examine how to get started with MySQL permissioning. Go Deeper

The USER table

MySQL access is controlled by the mysql database. Let's take a look at the tables found in this database. The following list comes from MySQL 5 - earlier versions of MySQL will be different, but in this tutorial I only focus on those tables available to the current stable version 4.0.x
m y s q l >S H O WT A B L E S ; + + |T a b l e s _ i n _ m y s q l| + + |c o l u m n s _ p r i v | |d b | |f u n c | |h e l p _ c a t e g o r y | |h e l p _ k e y w o r d | |h e l p _ r e l a t i o n | |h e l p _ t o p i c | |h o s t | |p r o c | |t a b l e s _ p r i v | |u s e r | + +

Business Insurance for the IT services industry Business EMail Business Insurance for the IT services industry Your trusted Web Host since 1997 Business Insurance for the IT services industry

When a user tries to connect to the database, MySQL checks that that particular username/host/password combination has permission to connect. Once the connection has been made, before any operations are carried out, MySQL again checks to see whether the user/host combination has the right level of access to carry out that operation. The user table is the first table MySQL checks. All user/host/password combinations must be listed in this table before any access can be granted. Let's look at the table in more detail:
m y s q l >D E S Cu s e r ; + + + + + + + |F i e l d |T y p e |N u l l|K e y|D e f a u l t|E x t r a| + + + + + + + |H o s t |c h a r ( 6 0 ) | |P R I| | | |U s e r |c h a r ( 1 6 ) | |P R I| | | |P a s s w o r d |c h a r ( 1 6 ) | | | | | |S e l e c t _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |I n s e r t _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |U p d a t e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |D e l e t e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |C r e a t e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |D r o p _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |R e l o a d _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |S h u t d o w n _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |P r o c e s s _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |F i l e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |G r a n t _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |R e f e r e n c e s _ p r i v|e n u m ( ' N ' , ' Y ' )| | |N | | |I n d e x _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | |

www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm

1/5

30/06/13

An introduction to MySQL permissions DatabaseJournal.com

|A l t e r _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | + + + + + + +

It is important to understand that the host and user together determine an individual permission for connecting. User Nosipho may have access from host A, and not from host B. In fact, user Nosipho on host B may be an entirely different user. A host may be either the hostname of the machine, or the IP, and may be, or include, a wildcard (the % sign), meaning any host. It should be rare to allow access from any host. Web applications, for example, typically only allow access to the database server from the web server (or localhost for small setups, where they're on the same machine). The password is stored in an encrypted format using the PASSWORD() function. Let's look at a sample subset from the user table:
m y s q l >S E L E C Th o s t , u s e rF R O Mu s e r ; + + + |h o s t |u s e r| + + + |l o c a l h o s t |m y s q l | |l o c a l h o s t |m a r k| |1 9 2 . 1 6 8 . 5 . 4 2 |t i k i| |1 9 2 . 1 6 8 . 5 . % |m p h o| |1 9 2 . 1 6 8 . 5 . 4 2 | | |% |w i k i| + + +

In this example, the mysql and mark users can connect from localhost only, while user tiki, and any other user, can connect from the IP 192.168.5.42. User mpho can connect from any IP starting with 192.168.5 (as denoted by the wildcard where the last digit would be). Finally, user wiki has access from any machine. This does not necessarily mean they can do anything, just that they can connect. To decide whether a user has access to perform a particular operation, MySQL again checks the user table first. The remaining fields, all fairly clearly named, come into play. Select_priv determines whether users can run SELECT queries, Insert_priv INSERT queries, and so on. Permission Description Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Process_priv File_priv Grant_priv Index_priv Alter_priv Permission to run SELECT queries Permission to run INSERT statements Permission to run UPDATE statements Permission to run DELETE statements Permission to CREATE tables and databases Permission to DROP tables and databases Permission to RELOAD the database (a FLUSH statement for example) Permission to view or kill PROCESSes. Permission to read and write FILEs (for example LOAD DATA INFILE) Permission to GRANT available permissions to other users Not used by MySQL 4.0.x Permission to ALTER table structures.

Shutdown_priv Permission to SHUTDOWN the database server

References_priv Permissions to create, modify or drop INDEXes

New Security Features Planned for Firefox 4 Another Laptop Theft Exposes 21K Patients' Data Oracle Hits to Road to Pitch Data Center Plans

All are enumerated types, a Y value allowing the operation, and a N value possibly disallowing it. Only possibly, because the user table is the bluntest kind of permission. A Y value in one of these fields always allows that operation to be performed on all databases in the table. It is often good practice to set values to N in the user table, and then allow them for the appropriate database only, as we'll see now. Another sample:
m y s q l >S E L E C Th o s t , u s e r , s e l e c t _ p r i v , i n s e r t _ p r i vF R O Mu s e r ; + + + + + |h o s t |u s e r|s e l e c t _ p r i v|i n s e r t _ p r i v| + + + + + |% |m a r k|Y |N | |l o c a l h o s t|m p h o|N |N | + + + + +

Here user mark can always perform SELECT queries, while for the other operations, MySQL will need to check the other tables first to see, starting with the db table.

The DB table
If the user table allows access, but disallows permission for a particular operation, the next table to worry about is the db table. This sets permissions for specific databases.
m y s q l >D E S Cd b ; + + + + + + + |F i e l d |T y p e |N u l l|K e y|D e f a u l t|E x t r a| + + + + + + + |H o s t |c h a r ( 6 0 ) | |P R I| | | |D b |c h a r ( 3 2 ) | |P R I| | | |U s e r |c h a r ( 1 6 ) | |P R I| | | |S e l e c t _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |I n s e r t _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |U p d a t e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | |

www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm

2/5

30/06/13

An introduction to MySQL permissions DatabaseJournal.com

|D e l e t e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |C r e a t e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |D r o p _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |G r a n t _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |R e f e r e n c e s _ p r i v|e n u m ( ' N ' , ' Y ' )| | |N | | |I n d e x _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |A l t e r _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | + + + + + + +

Host and User appear in the same way in this table, but attached to a database, not a password. The same host/user combination appears, with a password, in the user table, which allows the user to connect, but if they do not have permission to perform an operation, MySQL will check this table to see if they can perform it on a particular database. A sample:
m y s q l >S E L E C Th o s t , d b , u s e r , s e l e c t _ p r i v , i n s e r t _ p r i vF R O Md b ; + + + + + + |h o s t |d b |u s e r |s e l e c t _ p r i v|i n s e r t _ p r i v| + + + + + + |l o c a l h o s t|n e w s |m a r k |Y |Y | |l o c a l h o s t|a r c h i v e s|m p h o |N |N | |l o c a l h o s t|n e w s |m p h o |Y |Y | + + + + + +

Compare this with the previous sample we looked at from the user table. User mark already had Select permission on all databases, but no Insert permissions. Here, he is granted insert permission on the news database only, while user mpho is given select and insert permission on the news database. Most MySQL installations in any kind of multi-user scenario would be best served by denying global permissions, and granting them on the database-level only. Another possibility exists. The database and user combination were found, but the host was left blank. In this case, MySQL checks the host table. Let's look at what's in there:
m y s q l >D E S Ch o s t ; + + + + + + + |F i e l d |T y p e |N u l l|K e y|D e f a u l t|E x t r a| + + + + + + + |H o s t |c h a r ( 6 0 ) | |P R I| | | |D b |c h a r ( 3 2 ) | |P R I| | | |S e l e c t _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |I n s e r t _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |U p d a t e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |D e l e t e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |C r e a t e _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |D r o p _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |G r a n t _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |R e f e r e n c e s _ p r i v|e n u m ( ' N ' , ' Y ' )| | |N | | |I n d e x _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | |A l t e r _ p r i v |e n u m ( ' N ' , ' Y ' )| | |N | | + + + + + + +

Exactly the same kind of checks occur here. An example:

m y s q l >S E L E C Th o s t , d b , s e l e c t _ p r i v , i n s e r t _ p r i vF R O Mh o s t ; + + + + + |h o s t |d b |s e l e c t _ p r i v|i n s e r t _ p r i v| + + + + + |l o c a l h o s t |n e w s |Y |Y | |l o c a l h o s t |a r c h i v e s|Y |N | |1 9 2 . 1 6 8 . 5 . 4 2 |n e w s |Y |N | + + + + +

If the host had been left blank, permissions are determined here. A user from localhost would have both select and insert permission to the news database, while a user from the host 192.168.5.42 would only have select permission to this database. From localhost , a user would have select privileges only on the archives database. But there is still more fine-tuning possible. You can assign users permission on a table, or even a column level, with the tables_priv and columns_priv tables, described below:
m y s q l >D E S Ct a b l e s _ p r i v ; + + + + + + + |F i e l d |T y p e |N u l l|K e y|D e f a u l t|E x t r a| + + + + + + + |H o s t |c h a r ( 6 0 ) | |P R I| | | |D b |c h a r ( 6 0 ) | |P R I| | | |U s e r |c h a r ( 1 6 ) | |P R I| | | |T a b l e _ n a m e |c h a r ( 6 0 ) | |P R I| | | |G r a n t o r |c h a r ( 7 7 ) | |M U L| | | |T i m e s t a m p |t i m e s t a m p ( 1 4 ) |Y E S | |N U L L | | |T a b l e _ p r i v |s e t ( ' S e l e c t ' , ' I n s e r t ' , ' U p d a t e ' , ' D e l e t e ' , ' C r e a t e ' ,| | | | | | | ' D r o p ' , ' G r a n t ' , ' R e f e r e n c e s ' , ' I n d e x ' , ' A l t e r ' ) | | | | | |C o l u m n _ p r i v|s e t ( ' S e l e c t ' , ' I n s e r t ' , ' U p d a t e ' , ' R e f e r e n c e s ' ) | | | | | + + + + + + +

m y s q l >D E S Cc o l u m n s _ p r i v ; + + + + + + + |F i e l d |T y p e |N u l l|K e y|D e f a u l t|E x t r a| + + + + + + + |H o s t |c h a r ( 6 0 ) | |P R I| | |

www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm

3/5

30/06/13

An introduction to MySQL permissions DatabaseJournal.com

|D b |c h a r ( 6 0 ) | |P R I| | | |U s e r |c h a r ( 1 6 ) | |P R I| | | |T a b l e _ n a m e |c h a r ( 6 0 ) | |P R I| | | |C o l u m n _ n a m e|c h a r ( 6 0 ) | |P R I| | | |T i m e s t a m p |t i m e s t a m p ( 1 4 ) |Y E S | |N U L L | | |C o l u m n _ p r i v|s e t ( ' S e l e c t ' , ' I n s e r t ' , ' U p d a t e ' , ' R e f e r e n c e s ' )| | | | | + + + + + + +

Go to page: 1 2 Next MySQL Archives 2 Comments (click to add your comment) By foxvor May 07 2012 15:12 PDT How would I grant a SELECT or UPDATE permission only to certain tables? I mean, how can I get a user have a SELECT or UPDATE privilege on a table but not on another in the same Database?
Reply to this comment

By Sourav December 23 2009 11:37 PST

If you Change the permission of a user in Mysql type mysql>GRANT SELECT ON *.* TO priyanka@localhost IDENTIFIED BY 'priyanka1' ; where priyanka is your new user and priyanka1 is your password
Reply to this comment

Comment and Contribute

Your name/nickname Your email Subject

(Maximum characters: 1200). You have 1200

characters left.

Escribe las dos palabras

Submit Your Comment

How to Use Facebook Safely? Social Networking Guide for IT Managers FREE with simple registration Guide to Developing a Web Site: Best Practices, Tips and Strategies. Download Exclusive eBook Now. Windows 7: Pros & Cons Download eBook now with FREE and easy registration Cloud Computing: Is it a good option for your company? Download FREE eBook to Find Out. Best Practices for Developing a Web Site: Checklists, Tips & Strategies. Download Exclusive eBook Now.

Cost-effectively managing your data center's systems is no easy task. But with proper planning and some critical improvements, even the most inefficient data center can change its ways. Learn how.

Latest Forum Threads MySQL Forum Topic

MySQL in high availability and transction secure banking application

By
klamor

Replies
1

Updated
August 28th, 10:24 AM

www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm

4/5

30/06/13
MySQL rollback

An introduction to MySQL permissions DatabaseJournal.com

UAL225 1 August 28th, 10:15 AM July 26th, 10:51 AM June 22nd, 12:13 PM

Browsing a DB file that uses MySql php cookie won't pass variable to next page

finleytech 1 ITdevGirl 0

Property of Quinstreet Enterprise. Terms of Service | Licensing & Reprints | About Us | Privacy Policy | Advertise Copyright 2013 QuinStreet Inc. All Rights Reserved.

www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm

5/5