Hi Rene, On Mon, Dec 16, 2013 at 04:35:11PM +0100, Rene Engelhard wrote: > On Mon, Dec 16, 2013 at 04:09:25PM +0100, Salvatore Bonaccorso wrote: > [...] > > allow anonymous access, without a password, from localhost to > > the "test" database and any databases starting with "test_" that > > users might have created after installing mysql-server. > [..] > > MySQL documentation recommends dropping these permissions and > > the "test" database. > > http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html , > > section "Securing Test Databases". > > > > mysql-server-5.1 in squeeze didn't setup these permissions and > > didn't create the test database, the debian patches > > 33_scripts__mysql_create_system_tables__no_test.dpatch and > > 41_scripts__mysql_install_db.sh__no_test.dpatch removed the code > > from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql > > . > > > > Please re-add these patches to mysql-server-5.5 and include some code > > > > in the pre/postinst script to remove these permissions and the > > "test" database on current installations. > > I don't think we should do that. > > What if people *do* have a real-world test db on some test system? A > DROP DATABASE would then simply be dataloss. > (Never understimate "weird" paths/names (learned that myself the hard way > once) > > One could argue about the permission thing, but then again, if it's some > test-system with a test database....
Indeed, this will not be done, apologies for having that in the bugreport. In de advisory I will write: > Existing databases and permissions are not touched. Please refer to > the NEWS file provided with this update for further information. So the update will not touch existing permissions and databases. Regards, Salvatore
signature.asc
Description: Digital signature
