Help Center/
GaussDB(for MySQL)/
Troubleshooting/
Basic Issues/
Impact of Creating an Empty Username
Updated on 2023-10-19 GMT+08:00
Impact of Creating an Empty Username
The username '' is allowed in GaussDB(for MySQL) instances, but using such an empty username has negative impacts on instances.
When you perform operations on a GaussDB(for MySQL) instance using an empty username, any username can be matched. This brings security and functional impacts on your instance. You are advised not to use empty usernames in actual scenarios.
- Security impact
- Your instance can be connected using any username if there is an empty username.
- Your database can be logged in using any username and the password of the empty username and the login user will obtain all permissions of the empty username. For example:
#If there is no empty username created and the invalid username abcd is used to connect to the instance, the connection fails. mysql> select user,host from mysql.user; +------------------+-----------+ | user | host | +------------------+-----------+ | root | % | | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | +------------------+-----------+ mysql -uabcd -h127.0.0.1 -P3306 -pTest_1234 mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'abcd'@'localhost' (using password: YES) #If an empty username has been created and the invalid username abcd and the password of the empty username are used to connect to the instance, the connection is successful. mysql> create user ''@'localhost' IDENTIFIED BY 'Test_1234'; mysql> select user,host from mysql.user; +------------------+-----------+ | user | host | +------------------+-----------+ | root | % | | | localhost | | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | +------------------+-----------+ mysql -uabcd -h127.0.0.1 -P3306 -pTest_1234 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 37Server version: 8.0.22-debug Source distribution Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
- If the empty user does not have a password, you can use any username to log in to the instance without a password and obtain all permissions of the empty user. For example:
#If there is an empty username that does not have a password, the database can be logged in using any username without a password. mysql> create user ''@'localhost'; Query OK, 0 rows affected (8.87 sec) mysql> select user,host from mysql.user; +------------------+-----------+ | user | host | +------------------+-----------+ | root | % | | | localhost | | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | +------------------+-----------+ mysql -uabcd -h127.0.0.1 -P3306 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39Server version: 8.0.22-debug Source distribution Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> #----------------- mysql -usdhsjkdshk -h127.0.0.1 -P3306 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 40Server version: 8.0.22-debug Source distribution Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
- Functional impact
If there is an empty username, the database cannot be logged in using a correct username due to a name matching error.
Example: If the host of an empty user overlaps that of the root user, the root user cannot log in to the database using its password or it can log in to the database using the password of the empty username but cannot obtain the root user permissions.
mysql> create user ''@'localhost'; Query OK, 0 rows affected (8.87 sec) mysql> select user,host from mysql.user; +------------------+-----------+ | user | host | +------------------+-----------+ | root | % | | | localhost | | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | +------------------+-----------+ #The database cannot be logged in using the password of the root user. mysql -uroot -h127.0.0.1 -P3306 -pTest_root mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) #The user who logs in to the database using the password of the empty user (password-free) is actually an empty user so the user does not have the root permissions. mysql -uroot -h127.0.0.1 -P3306 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 45Server version: 8.0.22-debug Source distribution Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select user,host from mysql.user; ERROR 1142 (42000): SELECT command denied to user ''@'localhost' for table 'user'
Parent topic: Basic Issues
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
The system is busy. Please try again later.
