Re: Security Question
If it's a DoS attack then perhaps you should be speaking to your ISP and getting that resolved rather than trying to work around the problem on your side of things! Having said that, you could possibly impose host level restrictions in MySQL, but that could be a lot of work to modify your existing user base, especially since you'd need to gather all your remote host information first, and then do all the updates. Cheers. Armando J.R. Bullington wrote: Hi All -- I have been a member of this list for a while but I actually have a question that I can't answer. MySQL v4.1.14-nt on Win2k3 Server I've got someone who is trying to get in, but I have locked it down. Methods used include, but are not limited to: No Outside Root Access System DSNs for Web connectivity Strong Passwords for each user User Permissions different for each purpose Here's the question -- It's a DoS attack and it's locking up the system for other users (max_connections_allowed). Anything I can do extra via MySQL that will keep this person away, or perhaps free up the server? I would rather not increase the max_conn_allowed var as it's already at 800 (more than I need). Do not have access to the Router (I wish I did, ACLs are such a great thing), but have full Admin rights to the server. Thanks everyone! J.R. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
[EMAIL PROTECTED] wrote: MySQL has moved WELL past the 3.23.x lineage and is getting close to retiring the 4.0.x lineage (it's only a rumor). So I suggest you update Not completely a rumor; on August 2, Heikki wrote: As far as I know, one release of 4.0 will still be built. Considering the differences between 4.0.x and 4.1.x, I never saw the logic of the minor version change of 4.1 . At the moment the 4.0.x branche is useful as an easy step in the way of upgrading to 4.1. But I agree that upgrading to 4.1 is a sound advice. Regards, Jigal. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
Alejandro [EMAIL PROTECTED] wrote on 08/16/2005 03:01:59 PM: Hi, I have installed binary mysql version 3.23.58 downloaded from www.mysql.org. In changelog from the documentation say that the release is from september 2003 and the security bug is in March 2005. What can I do ? How mysql provide updates? Thanks!! = Security info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711 MySQL has moved WELL past the 3.23.x lineage and is getting close to retiring the 4.0.x lineage (it's only a rumor). So I suggest you update your installation, paying attention to all of the version-to-version gotchas listed here: http://dev.mysql.com/doc/mysql/en/upgrade.html There is little to no activity in support of the 3.23.x version of MySQL. Is there a VERY GOOD reason why you cannot or do not want to upgrade? Shawn Green Database Administrator Unimin Corporation - Spruce Pine
Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
I agree with you, I will upgrade . Thanks for the advice. On 8/16/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Alejandro [EMAIL PROTECTED] wrote on 08/16/2005 03:01:59 PM: Hi, I have installed binary mysql version 3.23.58 downloaded from www.mysql.org. In changelog from the documentation say that the release is from september 2003 and the security bug is in March 2005. What can I do ? How mysql provide updates? Thanks!! = Security info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711 MySQL has moved WELL past the 3.23.x lineage and is getting close to retiring the 4.0.x lineage (it's only a rumor). So I suggest you update your installation, paying attention to all of the version-to-version gotchas listed here: http://dev.mysql.com/doc/mysql/en/upgrade.html There is little to no activity in support of the 3.23.x version of MySQL. Is there a VERY GOOD reason why you cannot or do not want to upgrade? Shawn Green Database Administrator Unimin Corporation - Spruce Pine -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
Thomas, It would be more secure if you has the DB on another server that was locked down and only allowed access to the web server on the MySql port, (plus probably ssh access for admin). If you're going to the expense of audits, this must be fairly important, so the cost of the other server would not be too significant? Best regards, Andy -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 13:22 To: [EMAIL PROTECTED] Subject: RE: Security Question Importance: High thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1.- the files would have tight unix security file permissions applied 2.- indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor ** *** This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. ** *** -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Hi! On Nov 27, DeBug wrote: - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! PD Sure. That's why you establish filesystem level access privileges so that PD only the mysql user can copy them in the first place. Some DBMSs allow to setup databases on a separate partition with its own filesystem that will have nothing in common with OS filesystem. OS is unable to read DBMS filesystem data. So getting root on OS does not give the hacker access to the DBMS file system and only DBMS users can access it. No, getting root gives access to each and every byte on the hard drive. He can read the partition where the data are. And if he is prepared, he can interpret them, of course (we are not talikng about script kiddies here, do we ?). Or, he can patch the in-memory image of the running db process and access the data through it. Regards, Sergei -- __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Senior Software Developer /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1. - the files would have tight unix security file permissions applied 2. - indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
On Wednesday 26 November 2003 13:22, Curley, Thomas wrote: Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying To look at it from another angle (and address the 'shouldn't be on the internet' issue), take the case of a webserver that has a script that can access the SQL server. Said SQL server is on a private, internal only network, with no access to the internet. Said script has a username and password that can read 'private' data. Someone is able to see the source if the script, and now has the username and password (assumption: the viewing is done from a local shell). How is having the SQL server hidden from the internet a benefit? So long as you provide any mechanism to access the server, you cannot consider the server data to be private, unless you redefine the word private. If you want to keep data on an SQL server, and not let people copy the database, then don't give them a login on the SQL server, and don't give them a username/password for connecting to the SQL engine. How do you stop someone from copying a piece of paper in an office? You lock it away from them. Or them from it. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Well, I'm not an expert on security, but I don't think this is a database issue. It is really a file/operating system issue. I don't think you can do anything in the database against copying the files. If somebody has access on file system level, the dbms is powerless. So I think you need to think about the OS. Stefan Am Wednesday 26 November 2003 14:22 schrieb Curley, Thomas: thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1.- the files would have tight unix security file permissions applied 2.- indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor *** ** This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. *** ** -- Stefan Kuhn M. A. Cologne University BioInformatics Center (http://www.cubic.uni-koeln.de) Zülpicher Str. 47, 50674 Cologne Tel: +49(0)221-470-7428 Fax: +49 (0) 221-470-7786 My public PGP key is available at http://pgp.mit.edu -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
One of the first things that I did at my former job was to turn off all external-facing network adapters to our DB machines. If you're fortunate enough that your DB resides on it's own box and not the webserver itself, then there's really no reason that you *need* to have it externally facing. There are PLENTY of solutions that you can put in place in order to still have remote access to those machines without them having an externally routable IP. While it is possible for a hacker to compromise one machine and then access the DB machine over your internal WAN at the hosting location, the more roadblocks you put between a potential hacker and your sensitive data, the better. -M -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 8:22 AM To: [EMAIL PROTECTED] Subject: RE: Security Question Importance: High thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1. - the files would have tight unix security file permissions applied 2. - indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
Mike Correct and this is the architecture. The internet facing box has a routable IP, the DB box is separate and is not ext routable. The issue the security review highlighted strongly was the fact that if a hacker got access to the box (however) then copying /var/lib/mysql/database would result in a major security breach To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) Thomas -Original Message- From: Mike Brum [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 13:36 To: Curley, Thomas; [EMAIL PROTECTED] Subject: RE: Security Question One of the first things that I did at my former job was to turn off all external-facing network adapters to our DB machines. If you're fortunate enough that your DB resides on it's own box and not the webserver itself, then there's really no reason that you *need* to have it externally facing. There are PLENTY of solutions that you can put in place in order to still have remote access to those machines without them having an externally routable IP. While it is possible for a hacker to compromise one machine and then access the DB machine over your internal WAN at the hosting location, the more roadblocks you put between a potential hacker and your sensitive data, the better. -M -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 8:22 AM To: [EMAIL PROTECTED] Subject: RE: Security Question Importance: High thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1. - the files would have tight unix security file permissions applied 2. - indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http
Re: Security Question
On Wednesday 26 November 2003 13:43, Curley, Thomas wrote: Mike Correct and this is the architecture. The internet facing box has a routable IP, the DB box is separate and is not ext routable. The issue the security review highlighted strongly was the fact that if a hacker got access to the box (however) then copying /var/lib/mysql/database would result in a major security breach To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) In the end, it's all tradeoffs. You could put an encryption algorithm into your web interface, but then the key is public. However, cracking the DB server only gets you encrypted data. Tradeoff? Speed. Best data security practice (silly) - don't have the data in the first place. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) The chap was me :-) I'm sure it does on oracle. Once you have an Oracle installation and got hold of all database files (which is easy once an intruder got root on the machine) you have access to all data. Even oracle can't do anything about this, but there might be two difficulties with oracle compared to mysql: You need the oracle software (expensive, but do hackers buy software?) and it might be that the files are spread all over the computer and hard to find. But basically, it is the same with oracle (but I never used oracle, this is common sense). Stefan -- Stefan Kuhn M. A. Cologne University BioInformatics Center (http://www.cubic.uni-koeln.de) Zülpicher Str. 47, 50674 Cologne Tel: +49(0)221-470-7428 Fax: +49 (0) 221-470-7786 My public PGP key is available at http://pgp.mit.edu -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Hacker gets in this way: -[Webserver][rooted]-[DBServer][rooted]-File_Access(/var/lib/mysql/database) I'd say the major security breach is already when the Webserver is rooted.^ If he gets to your webserver he could still read WHATEVER DATA he wants from your database with the information he finds in your site's code. Look at below example: (Use Fixed Font) Internet | (80,443)--- - firewall w/ webports open | Webserver | (3306)- - another one allowing mysql access | DBServer Since you have a bulkhead between your servers your DBServer is completely* safe from anyone getting file-level access to it. But, since you have a working webserver with scripts and functions to access the database he can still access any data he wants from the database server. Stop worrying so much about mysql's filelevel security. If your webserver is rooted you are toast anyway! Mike ^Your security review needs to be reviewed? *Unless there's a security hole in mysql allowing code/command execution. On Wednesday 26 November 2003 14.43, Curley, Thomas wrote: Mike Correct and this is the architecture. The internet facing box has a routable IP, the DB box is separate and is not ext routable. The issue the security review highlighted strongly was the fact that if a hacker got access to the box (however) then copying /var/lib/mysql/database would result in a major security breach To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) Thomas -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Hi! On Nov 26, Curley, Thomas wrote: thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1.- the files would have tight unix security file permissions applied 2.- indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying Just as you said above - tight unix security file permissions. That is - database files should be readable ONLY by the dedicated mysql user. Thus if somebody breaks in he will need to be root to copy these files. And if he can get root - no encryption will help, he can get the key straight from the mysqld memory image (via /proc/*/mem) or patch the server (again via /proc/*/mem) to decrypt all the data for him, or hijack your connections to the server and record all the traffic or anything. If somebody got root - you lost. Until he did - unix permissions will help. If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites See above. Web server should be on this internet accessible box, shouldn't it ? And it (or a CGI program) should be able to talk to mysqld (which resides on a dedicated secure box), and it should know the password. So if somebody can get into the box with httpd - he'll be able to access mysqld too. Regards, Sergei -- __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Senior Software Developer /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Stefan Kuhn wrote: To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) The chap was me :-) I'm sure it does on oracle. Once you have an Oracle installation and got hold of all database files (which is easy once an intruder got root on the machine) you have access to all data. Even oracle can't do anything about this, but there might be two difficulties with oracle compared to mysql: You need the oracle software (expensive, but do hackers buy software?) and it might be that the files are spread all over the computer and hard to find. But basically, it is the same with oracle (but I never used oracle, this is common sense). Stefan It isn't quite as simple as copying the datafiles to a new server and opening the Oracle database. There are controlfiles to deal with and a somewhat complex process to follow. But, Oracle documentation and Oracle database software is freely downloadable over the net, so a determined theif would be able to access your data without too much problem. It is far easier, however, if you can root an Oracle box, to become the software owner, change the sys/system password (database root), export the database and either import that file into another Oracle database or just do a strings on it to get readable data. You can do all that, anyway, faster than copying all of the datafiles off the server. -- Glenn Stauffer -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
At 07:22 AM 11/26/2003, you wrote: Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt Not true. There are some databases that can encrypt records on the fly without any speed degradation ( 1%) using either Blowfish or AES. The data record, index, blob fields (memos) are all encrypted so if someone walks away with your database files, they are all gibberish. The transmission of the password over the network is also encrypted. See www.advantagedatabase.com for a Windows/Linux solution. (Unfortunately their free ALS version has a license agreement that does NOT permit its use on a web server.) If you have physical access to the web server then simply entering the password will get the database app up and running. Or there are various means to send the encrypted time sensitive password to the webserver so it can open the database. Anyone sniffing for the password will be out of luck. I too would love to have MySQL encrypt the records on he fly, especially if it is on a shared webserver. OS security will only get you so far. Other database companies have implemented transparent record encryption quite effectively, and I'm still waiting for MySQL to realize the importance of encryption. Mike ( holding breath :-0 ) -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Curley, Thomas wrote: I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! As all the other posters have mentioned, you should have tight file level security set up. However, if you use basic mysql user authentication, even copying the files over shouldn't allow them to view the information in a database since they would need the mysql user/passwd to do anything. Which got me to thinkingis this the case? If I am using MyISAM tables and just port them over to a different box with a different security scheme, would I be allowed to view those MyISAM tables? Also, is this the case for InnoDB as well? -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
At 16:13 -0500 11/26/03, Kevin Carlson wrote: Curley, Thomas wrote: I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! As all the other posters have mentioned, you should have tight file level security set up. However, if you use basic mysql user authentication, even copying the files over shouldn't allow them to view the information in a database since they would need the mysql user/passwd to do anything. Which got me to thinkingis this the case? If I am using MyISAM tables and just port them over to a different box with a different security scheme, would I be allowed to view those MyISAM tables? Also, is this the case for InnoDB as well? Sure. That's why you establish filesystem level access privileges so that only the mysql user can copy them in the first place. If someone can copy your database files, you're hosed. All the attacker need do is start the server with --skip-grant-tables, and he can can connect to it with no password, and has complete access to any files managed by the server. -- Paul DuBois, Senior Technical Writer Madison, Wisconsin, USA MySQL AB, www.mysql.com Are you MySQL certified? http://www.mysql.com/certification/ -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
At 03:21 PM 11/26/2003, you wrote: If someone can copy your database files, you're hosed. All the attacker need do is start the server with --skip-grant-tables, and he can can connect to it with no password, and has complete access to any files managed by the server. Paul Curley, And of course if they have physical access to the machine they can remove your hard drive and put them into their own machine as a slave. Hot swapable drives makes removal fast and easy; you don't even need a screwdriver. So if your data is worth something, make sure there are good locks on the door and check everyone's bag on the way out.g If you think this can't happen, a mega bookstore opened up in town and they had their file sever/database sever sitting beside a desk in the common area. I guess they were in a hurry to set it up and get the terminals up and running. Well a few days later the system went down and in a few minutes the techie went over to check it out. Well, their tower computer had disappeared. Apparently someone had disconnected (or cut the cables) it and snuck it out the door under a trench coat. It took less than 60 seconds and their data was gone, customer lists, vendor info, and credit card data now belonged to someone else. I don't know what database they were using, but once your hard drives are gone or copied or backed up, your data is vulnerable unless you're using encryption that is independent of the OS. Mike -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
re: Security question
Daniel, Monday, October 28, 2002, 1:06:10 AM, you wrote: DLS In my mysql.db file, I have some lines like: DLS %.private | somedb | someuser | Y | Y | Y | Y | Y | Y | N | Y | Y | Y DLS So, I have an internal domain called private, those hosts are in an DLS internal DNS, and can be reverse resolved. The only way I can manage to DLS connect to somedb as someuser is to put the fully qualified hostnames DLS in the /etc/hosts file, eg.: DLS 1.2.3.4 somehost.private DLS For some reason mysql is not seeing the DNS resolution. Yes, DNS is DLS really working as verified with nslookup for both forward and reverse DLS records. DLS The version of mysqld I am running is: DLS /usr/libexec/mysqld Ver 3.23.36 for redhat-linux-gnu on i386 DLS Can someone provide some insight or suggestions? Sure, there are some known problems with resolver on Linux. First, you should not compile MySQL by yourself. Broken resolver is one of the most common situations happening when MySQL is wrong-compiled. Second, there were a log of fixes to resolver part of MySQL since .36. So you have to upgrade your server to MySQL 3.23.53 with MySQL official binary release found at http://www.mysql.com/ That will help. -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Egor Egorov / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net ___/ www.mysql.com - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Security question
Mike, Thursday, August 15, 2002, 12:45:06 AM, you wrote: MH Hi there, MH I posted this a few days ago and recieved no responses, so I thought I would MH post it again: Mike, I answered you yesterday. MH Hi All; MH I am working on a front end to my database, but I am running into a bit of MH trouble. I have a user who has the proper privileges and grant option create MH other users, but I need to know this: can that user delete users he has MH created (or at least disable them), and can users change their own MH passwords? This is all being done for a VB front end, so I need to be able MH to do these things using SQL statements. Any help would be appreciated. To create other users you must have UPDATE privilege on database 'mysql' and GRANT_priv. To delete users you must have DELETE_priv and SELECT_priv (to use DELETE with WHERE clause) on the database 'mysql'. But in this case user can delete any user from database 'mysql' not only users that you created. User can change his password just using mysqladmin mysqladmin -uuser_name -pold_password password 'new_password' or SET statement: http://www.mysql.com/doc/en/Passwords.html -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Victoria Reznichenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net ___/ www.mysql.com - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Security Question
LOAD DATA [LOW_PRIORITY] [LOCAL] INFILE 'file_name.txt' [REPLACE | IGNORE] INTO TABLE tbl_name [FIELDS [TERMINATED BY '\t'] [OPTIONALLY] ENCLOSED BY ''] [ESCAPED BY '\\' ]] [LINES TERMINATED BY '\n'] [IGNORE number LINES] [(col_name,...)] The LOAD DATA INFILE statement reads rows from a text file into a table at a very high speed. If the LOCAL keyword is specified, the file is read from the client host. If LOCAL is not specified, the file must be located on the server. (LOCAL is available in MySQL 3.22.6 or later.) Moreover u r missing the escape char "\" in the path so jsut type the foll and tell me it works . load data local inifile "c:\\text.txt" into table dbname.tblname fields . Additionally u could use "c:/text.txt" . Notice the forward slash cheers Sajan - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 4:30 PM Subject: Security Question Hi, I am typing the following sequence of commands and running into an access denied message. mysql -uusername -ppassword -hwww.myhost.com dbname the bit above works and takes me to my mysql prompt and i am logged into my server/database. then i try the following and i get the error message. load data local inifile "c:\text.txt" into table dbname.tblname fields terminated by ',' ; I have also tried ... infile "text.txt" and placed a copy of the text file in c:\mysql and c:\mysql\bin with no success. please could you let me know if you can see I am doing something wrong or if there is a way I can check to see if I have relevant access before I contact my ISP. Many thanks Sean Browne. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
