Hi, Marc, On Aug 02, Marc wrote:
> > > If the server will delay enforcing of max_connections (that is, > > > the server will not reject connections about max_connections at > > > once), then this user in the above scenario will open all possible > > > connections your OS can handle and the computer will become > > > completely inaccessible. > > > > The idea about this change is to have a more useful and expected > > implementation of max_user_connections and max_connections. > > Currently I am using max_connections not for what it is supposed to > > be used, just because the max_user_connections is not doing as much > > as it 'should'. > > Hi Sergei, Is this something you are going to look in to? I am also > curious about this delay between first package and package with the > username. I can't imagine that being such a problem, to me this looks > feasible currently. I'm afraid, I don't understand your use case. There are, basically, three limits now: max_user_connections, max_connections, OS limit. An ordinary user would connect many times, hit max_user_connections and stop. Or will keep connecting and get disconnects because of max_user_connections. A malicious user would connect and wouldn't authenticate, this will exhaust max_connections and nobody will be able to connect to the server anymore. max_user_connections won't help here. After your suggestion of delayed max_connections check - an ordinary user would still connect max_user_connections times, nohing would change for him. A malicious user, not stopped by max_connections anymore, would completely exhaust OS capability for opening new connections making the whole OS inaccessible. That's what I mean - I don't understand your use case. It doesn't change much if all users behave and it makes the situation much worse if a user is malicious. So, in what use case your change would be an improvement? Regards, Sergei Chief Architect, MariaDB Server and [email protected] _______________________________________________ discuss mailing list -- [email protected] To unsubscribe send an email to [email protected]
