Help Center/ TaurusDB/ Troubleshooting/ Basic Issues/ Impact of Creating an Empty Username
Updated on 2024-09-05 GMT+08:00

Impact of Creating an Empty Username

The username '' is allowed in GaussDB(for MySQL) instances, but using such an empty username has negative impacts on instances.

When you perform operations on a GaussDB(for MySQL) instance using an empty username, any username can be matched. This brings security and functional impacts on your instance. You are advised not to use empty usernames in actual scenarios.

  • Security impact
    • Your instance can be connected using any username if there is an empty username.
    • Your database can be logged in using any username and the password of the empty username and the login user will obtain all permissions of the empty username. For example:
      #If there is no empty username created and the invalid username abcd is used to connect to the instance, the connection fails.
      mysql> select user,host from mysql.user; 
      +------------------+-----------+
      | user             | host      | 
      +------------------+-----------+
      | root             | %         | 
      | mysql.infoschema | localhost | 
      | mysql.session    | localhost | 
      | mysql.sys        | localhost | 
      +------------------+-----------+
      mysql -uabcd -h127.0.0.1 -P3306 -pTest_1234 
      mysql: [Warning] Using a password on the command line interface can be insecure. 
      ERROR 1045 (28000): Access denied for user 'abcd'@'localhost' (using password: YES) 
      
      #If an empty username has been created and the invalid username abcd and the password of the empty username are used to connect to the instance, the connection is successful.
      mysql> create user ''@'localhost' IDENTIFIED BY 'Test_1234'; 
      mysql> select user,host from mysql.user; 
      +------------------+-----------+
      | user             | host      | 
      +------------------+-----------+
      | root             | %         | 
      |                  | localhost | 
      | mysql.infoschema | localhost | 
      | mysql.session    | localhost | 
      | mysql.sys        | localhost | 
      +------------------+-----------+ 
      mysql -uabcd -h127.0.0.1 -P3306 -pTest_1234 
      mysql: [Warning] Using a password on the command line interface can be insecure. 
      Welcome to the MySQL monitor.  Commands end with ; or \g. 
      Your MySQL connection id is 37Server version: 8.0.22-debug Source distribution 
      Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. 
      Oracle is a registered trademark of Oracle Corporation and/or its affiliates. 
      Other names may be trademarks of their respective owners. 
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
      mysql> 
    • If the empty user does not have a password, you can use any username to log in to the instance without a password and obtain all permissions of the empty user. For example:
      #If there is an empty username that does not have a password, the database can be logged in using any username without a password.
      mysql> create user ''@'localhost'; 
      Query OK, 0 rows affected (8.87 sec) 
      mysql> select user,host from mysql.user; 
      +------------------+-----------+
      | user             | host      | 
      +------------------+-----------+
      | root             | %         | 
      |                  | localhost | 
      | mysql.infoschema | localhost | 
      | mysql.session    | localhost | 
      | mysql.sys        | localhost | 
      +------------------+-----------+
      mysql -uabcd -h127.0.0.1 -P3306 
      Welcome to the MySQL monitor.  Commands end with ; or \g. 
      Your MySQL connection id is 39Server version: 8.0.22-debug Source distribution 
      Copyright (c) 2000, 2020, Oracle and/or its affiliates. 
      All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. 
      Other names may be trademarks of their respective owners. 
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 
      mysql>  
      #-----------------
      mysql -usdhsjkdshk -h127.0.0.1 -P3306 
      Welcome to the MySQL monitor.  Commands end with ; or \g. 
      Your MySQL connection id is 40Server version: 8.0.22-debug Source distribution 
      Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. 
      Oracle is a registered trademark of Oracle Corporation and/or its affiliates. 
      Other names may be trademarks of their respective owners. 
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 
      mysql> 
  • Functional impact

    If there is an empty username, the database cannot be logged in using a correct username due to a name matching error.

    Example: If the host of an empty user overlaps that of the root user, the root user cannot log in to the database using its password or it can log in to the database using the password of the empty username but cannot obtain the root user permissions.

    mysql> create user ''@'localhost'; 
    Query OK, 0 rows affected (8.87 sec)  
    mysql> select user,host from mysql.user; 
    +------------------+-----------+
    | user             | host      | 
    +------------------+-----------+
    | root             | %         | 
    |                  | localhost | 
    | mysql.infoschema | localhost | 
    | mysql.session    | localhost | 
    | mysql.sys        | localhost | 
    +------------------+-----------+
    #The database cannot be logged in using the password of the root user.
    mysql -uroot -h127.0.0.1 -P3306 -pTest_root 
    mysql: [Warning] Using a password on the command line interface can be insecure. 
    ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)  
    #The user who logs in to the database using the password of the empty user (password-free) is actually an empty user so the user does not have the root permissions.
    mysql -uroot -h127.0.0.1 -P3306  
    Welcome to the MySQL monitor.  Commands end with ; or \g. 
    Your MySQL connection id is 45Server version: 8.0.22-debug Source distribution 
    Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. 
    Oracle is a registered trademark of Oracle Corporation and/or its affiliates. 
    Other names may be trademarks of their respective owners. 
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 
    mysql> select user,host from mysql.user; 
    ERROR 1142 (42000): SELECT command denied to user ''@'localhost' for table 'user'