On Wed, 2010-04-28 at 13:58 +0530, Vikram A wrote: > Hi all, > I have some security issues. I would like to have your suggestions/solutions. > > I have winserver2003 with mysql 5.1.45. We have client serve application that > allows multi-login system with various people. > > I am getting user name, password for database login when the try to use login >
> [which is for Application]. By using DB the user name and the password, > people who know the mysql > are opening the DB using some GUI tools. How this can be avoided; because it > is major issue right now in my work place. > > Please Can any one can help me? > > Thank you > > VIKRAM A > > 1.) Use MySQL connection limits to restrict the ways a client may impact performance. In the longer term look to limit table access with stored procedures or (when efficient) views. 2.) Restrict the database usernames/passwords by IP address and/or SSL client certificates and restrict access to the authorised client machines from the people causing a problem. 3.) If the clients and their credentials can't be restricted from the problem group, use MySQL proxy or its equivalent to filter exactly which queries may be applied so that only the actions already taken by the application may be performed by people using it's login credentials. 4.) If the problem is being caused by people on the authorised clients performing reasonable actions for those clients, then your problem can't be solved techincally aside from by seperating the application authentication credentails from the MySQL ones, or by scaling to allow the clients usage levels. Like Johan De Meersman I think the real problem you have is probably that the application uses MySQL access credentials as enduser credentials. Per-application user database users are unusual in my industry. If you need per-user access right granularity in database access it should still be disconnected from application login credentials. I'd probably do: field | application | mysql ======================================================= username | current username | current username password | current password stored as hash | unique password stored encrypted by hash of (current password + salt) In this way only an application working on the user's behalf to which the user had submitted their password would be able to obtain their unique database password but wouldn't need to store the plaintext password in the user's session. HTH Nigel -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
