Help Center/
Relational Database Service/
Troubleshooting/
RDS for MySQL/
Other Issues/
The Impact of Creating an Empty Username
Updated on 2023-03-06 GMT+08:00
The Impact of Creating an Empty Username
The username '' is allowed in RDS for MySQL instances, but using such an empty username negatively impacts instances.
When you perform operations on an RDS for MySQL instance using an empty username, any username can be matched in RDS. This impacts both security and functionality. You are advised not to use empty usernames.
- Security impact
- Your instance can be connected to using any username if an empty username exists.
- Your database can be logged in to using any username and the password of the empty username and the login user will obtain all permissions of the empty username. Example:
#If there is no empty username created and the invalid username abcd is used to connect to the instance, the connection fails. mysql> select user,host from mysql.user; +------------------+-----------+ | user | host | +------------------+-----------+ | root | % | | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | +------------------+-----------+ mysql -uabcd -h127.0.0.1 -P3306 -pTest_1234 mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'abcd'@'localhost' (using password: YES) #If an empty username has been created and the invalid username abcd and the password of the empty username are used to connect to the instance, the connection is successful. mysql> create user ''@'localhost' IDENTIFIED BY 'Test_1234'; mysql> select user,host from mysql.user; +------------------+-----------+ | user | host | +------------------+-----------+ | root | % | | | localhost | | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | +------------------+-----------+ mysql -uabcd -h127.0.0.1 -P3306 -pTest_1234 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 37Server version: 8.0.22-debug Source distribution Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
- If the empty user does not have a password, you can use any username to log in to the instance without a password and obtain all permissions of the empty user. Example:
#If there is an empty username that does not have a password, the database can be logged in to using any username without a password. mysql> create user ''@'localhost'; Query OK, 0 rows affected (8.87 sec) mysql> select user,host from mysql.user; +------------------+-----------+ | user | host | +------------------+-----------+ | root | % | | | localhost | | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | +------------------+-----------+ mysql -uabcd -h127.0.0.1 -P3306 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39Server version: 8.0.22-debug Source distribution Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> #----------------- mysql -usdhsjkdshk -h127.0.0.1 -P3306 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 40Server version: 8.0.22-debug Source distribution Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
- Functional impact
If an empty username exists, the database cannot be logged in to using a normal username due to a name matching error.
Example: If the host of an empty user overlaps that of the root user, the root user cannot log in to the database using its password or it can log in to the database using the password of the empty username but cannot obtain root permissions.
mysql> create user ''@'localhost'; Query OK, 0 rows affected (8.87 sec) mysql> select user,host from mysql.user; +------------------+-----------+ | user | host | +------------------+-----------+ | root | % | | | localhost | | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | +------------------+-----------+ #The database cannot be logged in to using the password of the root user. mysql -uroot -h127.0.0.1 -P3306 -pTest_root mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) #The user who logs in to the database using the password of the empty user (password-free) is actually an empty user so the user does not have the root permissions. mysql -uroot -h127.0.0.1 -P3306 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 45Server version: 8.0.22-debug Source distribution Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select user,host from mysql.user; ERROR 1142 (42000): SELECT command denied to user ''@'localhost' for table 'user' mysql>
Parent topic: Other Issues
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
