Hello,

I just install MySQL server on Linux and want to configure users.

The mysql.user table says I have the root users:

root (AT) 127 (DOT) 0.0.1
root@localhost

Which one can I safely remove? My /etc/hosts file has localhost as
127.0.0.1.

Also, I only want local access to the server for all users. Again,
should I create user joe (AT) 127 (DOT) 0.0.1 or joe@localhost?

Thank you,
Joe

On 25-11-10 17:44, Joe Hesse wrote:
I would keep 'localhost' beacuse it always translates to the loopback IP
address 127.0.0.1 in IPv4, or ::1 in IPv6.[2]

[ref:http://en.wikipedia.org/wiki/Localhost ]






--
Luuk

On Thu, 25 Nov 2010 18:47:21 +0100, Luuk wrote:
No, it doesn't. localhost refers to the connection through the OS
socket, not the loopback network socket. "Localhost" would map to
127.0.0.1 on the network, but localhost in all lower case means
something entirely different and special to mysql.

--
33. I won't require high-ranking female members of my organization to
wear a stainless-steel bustier. Morale is better with a more casual
dress-code. Similarly, outfits made entirely from black leather will
be reserved for formal occasions. --Anspach's Evil Overlord List

On Thu, 25 Nov 2010 21:25:03 +0000, Peter H. Coffin wrote:

After reading the replies I think I have the answer. When you connect to
a server, e.g. http, using a domain name, the client resolves the name
and then connects to the server. The server also sees the domain name.
In the case of MySQL, the domain name is checked against the data in
mysql.user and MySQL rejects the login if the domain name isn't there.
Specifically if you do:
1. mysql -h 192.168.0.30 vs.
2. mysql -h mylocaldomain,
where mylocaldomain resolves to 192.168.0.30,
the connection will be refused in 2. if mylocaldomain is not in mysql.user
even if 192.168.0.30 is.



When you connect to MySQL with localhost, it sees the connection attempt
as coming from the domain name localhost. If that domain name isn't in
the mysql.user table MySQL refuses to authenticate. That's different
from doing http://localhost where the web browser resolves the name to
127.0.0.1 even though the web server sees the name localhost

Joe Hesse <JoeHesse (AT) gmail (DOT) com> wrote:
Correct so far

Wrong!

In default configuration the MySQL server does a DNS lookup to find the
host name(s) of the client that is connecting. It then scans for a row
in mysql.user with either the client IP address or a matching name.

For production setups it is recommended to turn off that DNS lookup
(its expensive and might take a long time and you don't have control
over all aspects of the DNS anyway). That in turn means you cannot use
host names in GRANTs any more, but only IP addresses.

http://dev.mysql.com/doc/refman/5.1/en/dns.html

Not quite.

If you tell a client it should connect to "localhost" (in exactly that
writing) then the client assumes it is running on the same machine than
the server and will use a local communication channel (on *NIX a local
socket, on Win a named pipe) to connect. If the server sees a connect
request over that local communication channel then it requires a row
with "localhost" in the `host` column in mysql.user.

The important point is, that MySQL treats "localhost" not as a network
host name. "localhost" and 127.0.0.1 mean different things. And this
has nothing to with 127.0.0.1 resolving to "localhost" or not.

In a GRANT statement "localhost" means "client runs on same machine
than server *and* uses the local channel". Especially a local client
connecting to 127.0.0.1 will *not* match a GRANT for "localhost".
Also the other way round.


XL

Joe Hesse <JoeHesse (AT) gmail (DOT) com> writes:

Not quite. The client *does* treat the name localhost differently, but
when it sees it, it connects through a local domain socket, not through
TCP/IP. Also note that, from the perspective of the client, the connection
attempt isn't "coming from" anything - the client is *making* the attempt
by *sending* it to the server.

The server, when it receives a connection request from the local domain
socket, authorizes it by looking for permissions from "localhost."

The difference is that the web browser doesn't treat localhost differently
than any other name - it looks up an address for it, just like it would do
for any other machine name.

It's an unfortunate design choice, made way back when, because localhost
has long been synonymous for 127.0.0.1, but where MySQL is concerned, it
means something entirely different. :-(

sherm--

--
Sherm Pendley
<http://camelbones.sourceforge.net>
Cocoa Developer

El 25/11/2010 17:44, Joe Hesse escribió/wrote:
I've checked the servers I have at hand and the default root user
appears to be "root@localhost".


--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--

In addition to what all the others have already explained, let me give
you an example about the difference between "localhost" and "127.0.0.1"
that may be of interest.

You may want to delete the root user for outside connections because of
security reasons.
But if you want to remotely use the database (to do updates, for
example), you can use an SSH tunnel. Anyone who can reach the server and
has SSH access rights can then connect to the database as if he was
using a local TCP connection. Such a tunnel connects to 127.0.0.1 rather
than "localhost". You can even do so from your Windows development
machine if you wish to and have enough rights, so you can use your
graphical database front-end while still having a reasonably locked-down
database server. So if you want to use this possibility, leave
root (AT) 127 (DOT) 0.0.1 in place.

As an alternative, if you really want to disable TCP connections to your
database, you can also configure this in in my.cnf (usually in /etc/ or
/etc/mysql/). You can also choose to configure a ""bind-adress", which
means that networking is only allowed from that address (like 127.0.0.1,
to enable the SSH tunnel option). If your concern is security, you may
prefer this, because it works even if less restricted users are defined.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/

On 11/26/2010 8:41 AM, Sherm Pendley wrote:
Sherm,

Yes, it's just one more place where MySQL doesn't follow established
standards.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================