Re: Security issues

[Raj Shekhar]

In infinite wisdom "Jerry Schwartz"  wrote:

> Back when this was a day-to-day concern of mine, I used to check CERT's 
> website (the section now known as their "Vulnerability Notes Database", 
> http://www.kb.cert.org/vuls). 

If securing the database is your job, then you really need to drink from
the firehose that is called "full-disclosure".  
 
-- 
Raj Shekhar
-
If there's anything more important than my ego around, I want it
caught and shot now.



-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org

RE: Security issues

[Jerry Schwartz]

Back when this was a day-to-day concern of mine, I used to check CERT's 
website (the section now known as their "Vulnerability Notes Database", 
http://www.kb.cert.org/vuls). Unfortunately, I see that the last entry for 
MySQL is from years ago.

Regards,

Jerry Schwartz
Global Information Incorporated
195 Farmington Ave.
Farmington, CT 06032

860.674.8796 / FAX: 860.674.8341

www.the-infoshop.com





-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org

RE: Security issues

[Martin Gainty]

Good Morning Rob-

 

I agree with you that security is a very serious topic and should be addressed 
as such

Please read security alert page listed at tech-resources

http://dev.mysql.com/tech-resources/articles/security_alert.html


I hope this addresses your question,
Martin Gainty 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.



 

> From: wult...@gmail.com
> Date: Mon, 24 May 2010 13:45:35 -0700
> Subject: Re: Security issues
> To: mgai...@hotmail.com
> CC: je...@gii.co.jp; mysql@lists.mysql.com
> 
> On Mon, May 24, 2010 at 1:42 PM, Martin Gainty  wrote:
> > Good Afternoon Rob-
> >
> > if you're implementing either glassfish or weblogic webserver
> > your "best fit solution" would be Oracle Identity Manager
> >
> > there are 'other' identity solutions such as RSA which are
> > 1)far more complex ..
> > 2)virtually hackproof..
> > at random intervals RSA implements an alternate encryption algorithm with an
> > alternate keysize
> >
> > RSA issues smart cards which contain sufficient biometric information
> > to authenticate you
> > (and pass the authentication token to the OS)
> >
> > does this help?
> > Martin Gainty
> 
> I am explicitly not setting up identity solutions or anything else.
> All I want is a page from mysql which lists security issues.and what
> versions are effected. I don't think that this is such an insane
> thought...
> 
> 
> -- 
> Rob Wultsch
> wult...@gmail.com
> 
> -- 
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=mgai...@hotmail.com
> 
  
_
Hotmail is redefining busy with tools for the New Busy. Get more from your 
inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2

Re: Security issues

[Rob Wultsch]

On Mon, May 24, 2010 at 1:42 PM, Martin Gainty  wrote:
> Good Afternoon Rob-
>
> if you're implementing either glassfish or weblogic webserver
> your "best fit solution" would be Oracle Identity Manager
>
> there are 'other' identity solutions such as RSA which are
> 1)far more complex ..
> 2)virtually hackproof..
> at random intervals RSA implements an alternate encryption algorithm with an
> alternate keysize
>
> RSA issues smart cards which contain sufficient biometric information
> to authenticate you
> (and pass the authentication token to the OS)
>
> does this help?
> Martin Gainty

I am explicitly not setting up identity solutions or anything else.
All I want is a page from mysql which lists security issues.and what
versions are effected. I don't think that this is such an insane
thought...


-- 
Rob Wultsch
wult...@gmail.com

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org

RE: Security issues

[Martin Gainty]

Good Afternoon Rob-

 

if you're implementing either glassfish or weblogic webserver 
your "best fit solution" would be Oracle Identity Manager

 

there are 'other' identity solutions such as RSA which are 

1)far more complex ..
2)virtually hackproof..
at random intervals RSA implements an alternate encryption algorithm with an 
alternate keysize


RSA issues smart cards which contain sufficient biometric information to 
authenticate you
(and pass the authentication token to the OS)

does this help?
Martin Gainty 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.



 

> From: wult...@gmail.com
> Date: Mon, 24 May 2010 13:27:52 -0700
> Subject: Re: Security issues
> To: je...@gii.co.jp
> CC: mgai...@hotmail.com; mysql@lists.mysql.com
> 
> On Mon, May 24, 2010 at 12:07 PM, Jerry Schwartz  wrote:
> >>-Original Message-
> >>From: Rob Wultsch [mailto:wult...@gmail.com]
> >>Sent: Saturday, May 22, 2010 11:52 AM
> >>To: Martin Gainty
> >>Cc: mysql@lists.mysql.com
> >>Subject: Re: Security issues
> >>
> >>On Sat, May 22, 2010 at 5:44 AM, Martin Gainty  wrote:
> >>> Good Morning Rob-
> >>>
> >>> one vulnerability (with UDFs)
> >>> http://dev.mysql.com/tech-resources/articles/security_alert.html
> >>>
> >>> a manager considering a enterprise-wide security solution may want
> >>> to consider Oracle Identity Manager (with Glassfish 3.2)
> >>> http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish-
> >>556/
> >>>
> >>> Does this help?
> >>> Martin Gainty
> >>
> >>Martin,
> >>
> >>Thank you for the reply.
> >>
> >>The guys across the street have a single page with cliff notes about
> >>every vulnerability effecting every supported version*. The page I
> >>noted was comprehensive. Martin, what you listed was a page with an
> >>single vuln and a page which looks like a product.
> >>
> > [JS] This is always a tough call for a software developer. On the one hand,
> > announcing an unfixed problem alerts users; but at the same time, it also
> > alerts abusers. Some companies go one way, some go the other.
> >
> > Regards,
> >
> > Jerry Schwartz
> > Global Information Incorporated
> > 195 Farmington Ave.
> > Farmington, CT 06032
> >
> > 860.674.8796 / FAX: 860.674.8341
> 
> 
> I explicitly do not want a list of unfixed problems. I want a list of
> fixed issues and what versions are effected.
> 
> -- 
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=mgai...@hotmail.com
> 
  
_
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with 
Hotmail. 
http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5

Re: Security issues

[Rob Wultsch]

On Mon, May 24, 2010 at 12:07 PM, Jerry Schwartz  wrote:
>>-Original Message-
>>From: Rob Wultsch [mailto:wult...@gmail.com]
>>Sent: Saturday, May 22, 2010 11:52 AM
>>To: Martin Gainty
>>Cc: mysql@lists.mysql.com
>>Subject: Re: Security issues
>>
>>On Sat, May 22, 2010 at 5:44 AM, Martin Gainty  wrote:
>>> Good Morning Rob-
>>>
>>> one vulnerability (with UDFs)
>>> http://dev.mysql.com/tech-resources/articles/security_alert.html
>>>
>>> a manager considering a enterprise-wide security solution may want
>>> to consider Oracle Identity Manager (with Glassfish 3.2)
>>> http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish-
>>556/
>>>
>>> Does this help?
>>> Martin Gainty
>>
>>Martin,
>>
>>Thank you for the reply.
>>
>>The guys across the street have a single page with cliff notes about
>>every vulnerability effecting every supported version*. The page I
>>noted was comprehensive. Martin, what you listed was a page with an
>>single vuln and a page which looks like a product.
>>
> [JS] This is always a tough call for a software developer. On the one hand,
> announcing an unfixed problem alerts users; but at the same time, it also
> alerts abusers. Some companies go one way, some go the other.
>
> Regards,
>
> Jerry Schwartz
> Global Information Incorporated
> 195 Farmington Ave.
> Farmington, CT 06032
>
> 860.674.8796 / FAX: 860.674.8341


I explicitly do not want a list of unfixed problems. I want a list of
fixed issues and what versions are effected.

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org

RE: Security issues

[Jerry Schwartz]

>-Original Message-
>From: Rob Wultsch [mailto:wult...@gmail.com]
>Sent: Saturday, May 22, 2010 11:52 AM
>To: Martin Gainty
>Cc: mysql@lists.mysql.com
>Subject: Re: Security issues
>
>On Sat, May 22, 2010 at 5:44 AM, Martin Gainty  wrote:
>> Good Morning Rob-
>>
>> one vulnerability (with UDFs)
>> http://dev.mysql.com/tech-resources/articles/security_alert.html
>>
>> a manager considering a enterprise-wide security solution may want
>> to consider Oracle Identity Manager (with Glassfish 3.2)
>> http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish-
>556/
>>
>> Does this help?
>> Martin Gainty
>
>Martin,
>
>Thank you for the reply.
>
>The guys across the street have a single page with cliff notes about
>every vulnerability effecting every supported version*. The page I
>noted was comprehensive. Martin, what you listed was a page with an
>single vuln and a page which looks like a product.
>
[JS] This is always a tough call for a software developer. On the one hand, 
announcing an unfixed problem alerts users; but at the same time, it also 
alerts abusers. Some companies go one way, some go the other.

Regards,

Jerry Schwartz
Global Information Incorporated
195 Farmington Ave.
Farmington, CT 06032

860.674.8796 / FAX: 860.674.8341

www.the-infoshop.com







-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org

Re: Security issues

[Johnny Withers]

You could use CVE, Postgre's security page doesn't seem to sync with their
CVE entries, even though they reference CVE entries on their comprehensive
security page.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql

JW

On Sat, May 22, 2010 at 10:51 AM, Rob Wultsch  wrote:

> On Sat, May 22, 2010 at 5:44 AM, Martin Gainty 
> wrote:
> > Good Morning Rob-
> >
> > one vulnerability (with UDFs)
> > http://dev.mysql.com/tech-resources/articles/security_alert.html
> >
> > a manager considering a enterprise-wide security solution may want
> > to consider Oracle Identity Manager (with Glassfish 3.2)
> >
> http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish-556/
> >
> > Does this help?
> > Martin Gainty
>
> Martin,
>
> Thank you for the reply.
>
> The guys across the street have a single page with cliff notes about
> every vulnerability effecting every supported version*. The page I
> noted was comprehensive. Martin, what you listed was a page with an
> single vuln and a page which looks like a product.
>
> The grass is looking pretty darn green on the other side of the street.
>
> *And they support all the way back to 7.4, which is equivalent to 4.1
> era. 2005 is not that long ago.
> --
> Rob Wultsch
> wult...@gmail.com
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:http://lists.mysql.com/mysql?unsub=joh...@pixelated.net
>
>


-- 
-
Johnny Withers
601.209.4985
joh...@pixelated.net

Re: Security issues

[Rob Wultsch]

On Sat, May 22, 2010 at 5:44 AM, Martin Gainty  wrote:
> Good Morning Rob-
>
> one vulnerability (with UDFs)
> http://dev.mysql.com/tech-resources/articles/security_alert.html
>
> a manager considering a enterprise-wide security solution may want
> to consider Oracle Identity Manager (with Glassfish 3.2)
> http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish-556/
>
> Does this help?
> Martin Gainty

Martin,

Thank you for the reply.

The guys across the street have a single page with cliff notes about
every vulnerability effecting every supported version*. The page I
noted was comprehensive. Martin, what you listed was a page with an
single vuln and a page which looks like a product.

The grass is looking pretty darn green on the other side of the street.

*And they support all the way back to 7.4, which is equivalent to 4.1
era. 2005 is not that long ago.
-- 
Rob Wultsch
wult...@gmail.com

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org

RE: Security issues

[Martin Gainty]

Good Morning Rob-

 

one vulnerability (with UDFs)

http://dev.mysql.com/tech-resources/articles/security_alert.html


a manager considering a enterprise-wide security solution may want to consider 
Oracle Identity Manager (with Glassfish 3.2)

http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish-556/

 

Does this help?
Martin Gainty 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.



 

> From: wult...@gmail.com
> Date: Fri, 21 May 2010 22:50:06 -0700
> Subject: Security issues
> To: mysql@lists.mysql.com
> 
> Given the rather serious recent bug fixes I have been thinking a good
> bit about security. Does MySQL AB/Sun/Oracle maintain a page similar
> to http://www.postgresql.org/support/security.html which lists
> security issues and what releases they effected?
> 
> -- 
> Rob Wultsch
> wult...@gmail.com
> 
> -- 
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=mgai...@hotmail.com
> 
  
_
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4

Re: Security overrides in mysql.cnf

[Paul DuBois]

At 2:51 PM -0500 3/19/08, Brown, Charles wrote:

I inherited a mysql server database. Stuff are not documented.  My
question is: Are there any security work-arounds in mysql. I have access
to the cnf file. I need to get in and dump the database. I was told that
the cnf file allows security over rides. Please help


If you were told that, perhaps you could ask the person(s) who
told you that what they meant and how to do it. :-)

Information in other followups about --skip-grant-tables is
useful, too. You can start the server that way, connect as root w/no
password, issue a FLUSH PRIVILEGES statement to re-enable the
grant tables (so that you can use CREATE USER, GRANT, etc.), and
then set up the accounts the way you want (new root password and
so forth).

--
Paul DuBois, MySQL Documentation Team
Madison, Wisconsin, USA
MySQL AB, www.mysql.com

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security overrides in mysql.cnf

[Daniel Brown]

On Wed, Mar 19, 2008 at 3:51 PM, Brown, Charles <[EMAIL PROTECTED]> wrote:
> I inherited a mysql server database. Stuff are not documented.  My
>  question is: Are there any security work-arounds in mysql. I have access
>  to the cnf file. I need to get in and dump the database. I was told that
>  the cnf file allows security over rides. Please help
>
>  I have tried mysql -uroot.  It didn't work

Did you use the -p flag and supply the root password?

You'll need to be root to dump all of the databases.  If it's on a
cPanel/WHM server, you can use WHM to reset the MySQL root password if
you don't know what it is.

-- 

Forensic Services, Senior Unix Engineer
1+ (570-) 362-0283

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security overrides in mysql.cnf

[Dan Rogart]

Hi,


On 3/19/08 3:51 PM, "Brown, Charles" <[EMAIL PROTECTED]> wrote:

> I inherited a mysql server database. Stuff are not documented.  My
> question is: Are there any security work-arounds in mysql. I have access
> to the cnf file. I need to get in and dump the database. I was told that
> the cnf file allows security over rides. Please help
> 
> I have tried mysql -uroot.  It didn't work
> 

You can start the server so that you skip loading the grant tables.  That
should let you get in and change the root password.  Then you should have
access to do what you need to.

Instructions are here:
http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html#resetting-
permissions-unix

-Dan


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security settings won't take during installation

[Asif Lodhi]

Hi Adrian,

On 8/25/06, Adrian Greeman <[EMAIL PROTECTED]> wrote:

"The security settings could not be applied to the database because the ..


I am pasting here the text of one of my earlier posts to this list:

I got MySQL 5.0.22 running successfully on Win-XP-SP2 as follows:

1)   Download the no-install zip package of MySQL-5.0.22 from the website.
2)   Unpack it in the directory of your choice (C:\mysql5 - for example)
3)   Create a top-level folder - C:\mysql5Data for the data directory.
4)   Cut the contents of C:\mysql5\data directory and paste the same
into C:\mysql5Data.
5)   Delete  C:\mysql5\data directory.
6)   Create a copy of an appropriate mysql-xxx.ini file and rename it to MY.INI.
7)   Change the value of the data-dir variable to C:/mysql5Data - NOTE
FORWARD INSTEAD
OF BACK-SLASHES.
8)   Create another top-level C:\InnoDBData folder.
9)   Change appropriate InnoDB data-directory variables in C:\my.ini
(with forward slashes!)
10) Right-click MY COMPUTER icon on the desktop and select properties
from the shortcut
   menu.  Goto the Advanced tab and select Environment [Variables].
Select PATH in the \
   system variables and add C:\mysql5\bin; at the beginning of it.
Apply and OK.
11) Select RUN from the start menu, type CMD and press ENTER.
12) Right click the C:\InnoDBData folder, select Properties from the
shortcut menu and
add "LOCAL SERVICE" user-account in the security tab and give it
"Full Control" access.
13)  Do the same as in 12) with the  C:/mysql5Data folder.
12) type mysqld-nt --install YourServiceName
--defaults-file=C:\mysql5\my.ini --local-service
   and press ENTER.
13) type NET START YourServiceName AND PRESS ENTER.

Now you have MYSQL-5.0.22 installed on WinXP-Pro-SP2.

Forget about the automatic installer.  I got similar errors like yours.

Additionally, I have found that the MySQL ODBC driver installs best
when you do it manually - that is, hand-copy files into the Windows
System32 directory.  In addition, as I have found, it complains that
some MSVCR7.dll is missing.  When I searched for the file on Google,
the search engine led me to some DllFiles.com (or some similar
webpage) where I got the file, downloaded the same to my computer and
everything worked like a cinch!

--
Asif

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security fix for 4.0.27?

[Jim Winstead]

On Mon, Jun 05, 2006 at 10:16:05PM -0700, Ken Williams wrote:
> Anyone know if 4.0.27 will be fixed for the mysql_real_escape issue?
> (http://lists.mysql.com/announce/364)
> 
> 4.1 and 5 have been already, kinda wondering why 4.0 hasn't.

It will not, because 4.0 does not have this bug.

Jim Winstead
MySQL Inc.

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Armando]

If it's a DoS attack then perhaps you should be speaking to your ISP and 
getting that resolved rather than trying to work around the problem on 
your side of things!


Having said that, you could possibly impose host level restrictions in 
MySQL, but that could be a lot of work to modify your existing user 
base, especially since you'd need to gather all your remote host 
information first, and then do all the updates. Cheers.


Armando

J.R. Bullington wrote:

Hi All --

I have been a member of this list for a while but I actually have a 
question that I can't answer.


MySQL v4.1.14-nt on Win2k3 Server

I've got someone who is trying to get in, but I have locked it down. 
Methods used include, but are not limited to:


No Outside Root Access
System DSNs for Web connectivity
Strong Passwords for each user
User Permissions different for each purpose


Here's the question -- It's a DoS attack and it's locking up the system 
for other users (max_connections_allowed).


Anything I can do extra via MySQL that will keep this person away, or 
perhaps free up the server? I would rather not increase the 
max_conn_allowed var as it's already at 800 (more than I need).


Do not have access to the Router (I wish I did, ACLs are such a great 
thing), but have full Admin rights to the server.


Thanks everyone!

J.R.



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711

[Jigal van Hemert]

[EMAIL PROTECTED] wrote:
MySQL has moved WELL past the 3.23.x lineage and is getting close to 
retiring the 4.0.x lineage (it's only a rumor). So I suggest you update 


Not completely a rumor; on August 2, Heikki wrote: "As far as I know, 
one release of 4.0 will still be built."


Considering the differences between 4.0.x and 4.1.x, I never saw the 
logic of the minor version change of 4.1 . At the moment the 4.0.x 
branche is useful as an easy step in the way of upgrading to 4.1.


But I agree that upgrading to 4.1 is a sound advice.

Regards, Jigal.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711

[Alejandro Gad]

I agree with you, 
I will upgrade .
Thanks for the advice.

On 8/16/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>  
>  
> Alejandro <[EMAIL PROTECTED]> wrote on 08/16/2005 03:01:59 PM:
> 
>  
>  > Hi,
>  > 
>  > I have installed binary mysql version 3.23.58 downloaded from
> www.mysql.org. 
>  > In changelog from the documentation say that the release is from
>  > september 2003 and the security bug is in March 2005.
>  > What can I do ? How mysql provide updates?
>  > Thanks!!
>  > 
>  > =
>  > Security info:
>  >
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709
>  >
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710
>  >
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711
>  > 
>  
> MySQL has moved WELL past the 3.23.x lineage and is getting close to
> retiring the 4.0.x lineage (it's only a rumor). So I suggest you update your
> installation, paying attention to all of the version-to-version gotchas
> listed here: 
>  
> http://dev.mysql.com/doc/mysql/en/upgrade.html 
>  
> There is little to no activity in support of the 3.23.x version of MySQL. Is
> there a "VERY GOOD" reason why you cannot or do not want to upgrade? 
>  
> Shawn Green
>  Database Administrator
>  Unimin Corporation - Spruce Pine

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711

[SGreen]

Alejandro <[EMAIL PROTECTED]> wrote on 08/16/2005 03:01:59 PM:

> Hi,
> 
> I have installed binary mysql version 3.23.58 downloaded from 
www.mysql.org. 
> In changelog from the documentation say that the release is from
> september 2003 and the security bug is in March 2005.
> What can I do ? How mysql provide updates?
> Thanks!!
> 
> =
> Security info:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711
> 

MySQL has moved WELL past the 3.23.x lineage and is getting close to 
retiring the 4.0.x lineage (it's only a rumor). So I suggest you update 
your installation, paying attention to all of the version-to-version 
gotchas listed here:

http://dev.mysql.com/doc/mysql/en/upgrade.html

There is little to no activity in support of the 3.23.x version of MySQL. 
Is there a "VERY GOOD" reason why you cannot or do not want to upgrade?

Shawn Green
Database Administrator
Unimin Corporation - Spruce Pine

Re: security and extended ascii characters

[Sasha Pachev]

Chris W wrote:
In an effort to make sure no binary data is maliciously submitted via a 
form I have code the makes sure all characters in any input field are 
with in the range of a space to a "~".  However now that I am getting 
some users of my site from Europe, that are having problems submitting 
some extended characters.  I don't have the time to localize this site 
for every language but I would like to make it so European users can 
enter the character that you don't find in the English alphabet.  So I 
was wondering what other ascii values I need to allow so users in Europe 
won't have these problems?
Chris:

You need to use mysql_real_escape_string() on user input before you insert it. 
Then there will be no need on character code range limitations.

--
Sasha Pachev
Create online surveys at http://www.surveyz.com/
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: security reason for not using load data infile local?

[Victor Pendleton]

It depends on the variable. Can you give an example of the variable you are
trying to set?
As far as the load data infile, I believe it depends on how your database
will be accessed.
If you have a need for remote administration or are working with
geographically separated databases then the ability to load data from a
different may be useful. While if you are
only working from the local machine and you want to further lock down the
system then 
disabling this may be a good decision.

-Original Message-
From: Ginger Cheng
To: [EMAIL PROTECTED]
Sent: 4/12/04 12:49 PM
Subject: security reason for not using load data infile local?

Hello, MySQL gurus,
Sometimes the 'local' option of 'load data infile' is disabled
for 
security reasons (that is what I got from web). What could be the
security 
problem? I have another question, is there any way to change a variable
of 
mysql server without shutting it down?
Thank you for help
ginger


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:
http://lists.mysql.com/[EMAIL PROTECTED]

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: security reason for not using load data infile local?

[Emmett Bishop]

Ginger, 

can't speak to the log file issue but check out this
link for the dynamic server variables:

http://dev.mysql.com/doc/mysql/en/Dynamic_System_Variables.html

Best O'luck,

Tripp
--- Ginger Cheng <[EMAIL PROTECTED]> wrote:
> Hello, MySQL gurus,
>   Sometimes the 'local' option of 'load data infile'
> is disabled for 
> security reasons (that is what I got from web). What
> could be the security 
> problem? I have another question, is there any way
> to change a variable of 
> mysql server without shutting it down?
>   Thank you for help
>   ginger
> 
> 
> -- 
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:   
>
http://lists.mysql.com/[EMAIL PROTECTED]
> 


__
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Mulugeta Maru]

Thank you very much. Makes sense.

- Original Message - 
From: "Curtis Maurand" <[EMAIL PROTECTED]>
To: "Mulugeta Maru" <[EMAIL PROTECTED]>
Cc: "Mike Johnson" <[EMAIL PROTECTED]>; "MySQL" <[EMAIL PROTECTED]>
Sent: Friday, March 12, 2004 1:17 PM
Subject: Re: Security


>
> Usernames, passwords, and then perform the queries select ... where
> customerid = ""  Its all handled by your app.
>
> Curtis
>
> On Wed, 10 Mar 2004, Mulugeta Maru wrote:
>
> > Hi Mike,
> >
> > I am sorry for the confusion I might have caused. May be it would help
to
> > give a clear example.
> >
> > Table - Customers (CustomerID, CustomerName, Address, etc)
> >
> > Table - Transaction(TransactionID,CustomerID,Date,Amount)
> >
> > Note: CustomerID in Customer Table is a Primary Key. TransactionID is a
> > Primary Key and CustomerID is a Foreign Key in Transaction Table).
> >
> > Question: How would I be able to give my customers access to the
database so
> > that they can update the customer table (for example address change) and
add
> > transactions to the transaction table. What I do not want to happen is
that
> > customer A is able to modify customer B's record.
> > In short how would you restrict customer a to see transactions that
pertain
> > to him/her.
> >
> > Many thanks.
> > - Original Message - 
> > From: "Mike Johnson" <[EMAIL PROTECTED]>
> > To: "MySQL" <[EMAIL PROTECTED]>
> > Sent: Wednesday, March 10, 2004 4:55 PM
> > Subject: RE: Security
> >
> >
> > > From: Maru, Mulugeta [mailto:[EMAIL PROTECTED]
> > >
> > > > When I go online to access my bank account I only see
> > > > transactions pertain to my account only. I think when ever I
> > > > make a transaction the database records my account number in
> > > > the transaction table. When I log-in using my account number
> > > > and password the system checks whether it is correct or not
> > > > and run another query to get all transaction that match my
> > > > account number.
> > > >
> > > > Do I make sense?
> > >
> > >
> > > (sent offlist by mistake, please excuse the dupe)
> > >
> > > The point being made is that you're looking at your bank account
> > information in a client that is set to read records only pertaining to
your
> > account.
> > >
> > > The native mysql client is not such a program and was never intended
to
> > be. While you can customize access for users to certain databases or
certain
> > tables within those databases, it's simply not built as a multi-user
> > transactional client for limiting access to data in commonly-used
tables.
> > >
> > > It begs the question why you're giving your clients access to the
native
> > mysql client itself rather than developing an application to do this, in
> > which you could quite easily limit such access.
> > >
> > >
> > > -- 
> > > Mike Johnson
> > > Web Developer
> > > Smarter Living, Inc.
> > > phone (617) 886-5539
> > >
> > > -- 
> > > MySQL General Mailing List
> > > For list archives: http://lists.mysql.com/mysql
> > > To unsubscribe:
http://lists.mysql.com/[EMAIL PROTECTED]
> > >
> > >
> >
> >
> >
>
> -- 
> --
> Curtis Maurand
> mailto:[EMAIL PROTECTED]
> http://www.maurand.com
>
>
>


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Curtis Maurand]

Usernames, passwords, and then perform the queries select ... where 
customerid = ""  Its all handled by your app.

Curtis

On Wed, 10 Mar 2004, Mulugeta Maru wrote:

> Hi Mike,
> 
> I am sorry for the confusion I might have caused. May be it would help to
> give a clear example.
> 
> Table - Customers (CustomerID, CustomerName, Address, etc)
> 
> Table - Transaction(TransactionID,CustomerID,Date,Amount)
> 
> Note: CustomerID in Customer Table is a Primary Key. TransactionID is a
> Primary Key and CustomerID is a Foreign Key in Transaction Table).
> 
> Question: How would I be able to give my customers access to the database so
> that they can update the customer table (for example address change) and add
> transactions to the transaction table. What I do not want to happen is that
> customer A is able to modify customer B's record.
> In short how would you restrict customer a to see transactions that pertain
> to him/her.
> 
> Many thanks.
> - Original Message - 
> From: "Mike Johnson" <[EMAIL PROTECTED]>
> To: "MySQL" <[EMAIL PROTECTED]>
> Sent: Wednesday, March 10, 2004 4:55 PM
> Subject: RE: Security
> 
> 
> > From: Maru, Mulugeta [mailto:[EMAIL PROTECTED]
> >
> > > When I go online to access my bank account I only see
> > > transactions pertain to my account only. I think when ever I
> > > make a transaction the database records my account number in
> > > the transaction table. When I log-in using my account number
> > > and password the system checks whether it is correct or not
> > > and run another query to get all transaction that match my
> > > account number.
> > >
> > > Do I make sense?
> >
> >
> > (sent offlist by mistake, please excuse the dupe)
> >
> > The point being made is that you're looking at your bank account
> information in a client that is set to read records only pertaining to your
> account.
> >
> > The native mysql client is not such a program and was never intended to
> be. While you can customize access for users to certain databases or certain
> tables within those databases, it's simply not built as a multi-user
> transactional client for limiting access to data in commonly-used tables.
> >
> > It begs the question why you're giving your clients access to the native
> mysql client itself rather than developing an application to do this, in
> which you could quite easily limit such access.
> >
> >
> > -- 
> > Mike Johnson
> > Web Developer
> > Smarter Living, Inc.
> > phone (617) 886-5539
> >
> > -- 
> > MySQL General Mailing List
> > For list archives: http://lists.mysql.com/mysql
> > To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
> >
> >
> 
> 
> 

-- 
--
Curtis Maurand
mailto:[EMAIL PROTECTED]
http://www.maurand.com



-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: Security

[Mike Johnson]

From: Mulugeta Maru [mailto:[EMAIL PROTECTED]

> Hi Mike,
> 
> I am sorry for the confusion I might have caused. May be it 
> would help to give a clear example.
> 
> Table - Customers (CustomerID, CustomerName, Address, etc)
> 
> Table - Transaction(TransactionID,CustomerID,Date,Amount)
> 
> Note: CustomerID in Customer Table is a Primary Key. 
> TransactionID is a Primary Key and CustomerID is a Foreign 
> Key in Transaction Table).
> 
> Question: How would I be able to give my customers access to 
> the database so that they can update the customer table (for 
> example address change) and add transactions to the 
> transaction table. What I do not want to happen is that
> customer A is able to modify customer B's record. In short 
> how would you restrict customer a to see transactions that 
> pertain to him/her.


As Paul DuBois said earlier, this is something you want to control in your application 
itself. You still haven't specified if you're actually using an application in this 
scenario, so I'm still assuming you're talking about giving the clients access to the 
native mysql client.

Just as your bank gives you a web or executable client with which to access your 
records and transactions, they don't give you access to the database itself.

One example I'm talking about is developing an application for the clients in PHP. It 
would take basic login information and from there keep track of what client it is. At 
that point, you have the CustomerID, so only display to them info pertinent to them 
(SELECT * FROM Customers WHERE CustomerID='$CustomerID'; SELECT * FROM Transaction 
WHERE CustomerID='$CustomerID'), thus only allowing them to update or view records 
/through the web app/ relating to them.

So long as you never select records for Customer B, Customer A will never have the 
ability to view or modify Customer B's records.

Does that make any more sense?


-- 
Mike Johnson
Web Developer
Smarter Living, Inc.
phone (617) 886-5539

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Joshua J. Kugler]

You've been perfectly clear.  The MySQL permission system will not define this 
level of security.  You must design you application so that it will only give 
access to the rows that pertain to the customer that is logged in.  Create a 
MySQL user which can read and write to your database.  Then create another 
table in your database which defines users and passwords (separate from the 
MySQL users).  When a user logs in, you check their username and password 
against your user table, and then once they are logged in, you make sure the 
only rows they see or update are rows that pertain to them.

I hope this makes things clear.

On Wednesday 10 March 2004 05:39 pm, Mulugeta Maru wrote:
> Hi Mike,
>
> I am sorry for the confusion I might have caused. May be it would help to
> give a clear example.
>
> Table - Customers (CustomerID, CustomerName, Address, etc)
>
> Table - Transaction(TransactionID,CustomerID,Date,Amount)
>
> Note: CustomerID in Customer Table is a Primary Key. TransactionID is a
> Primary Key and CustomerID is a Foreign Key in Transaction Table).
>
> Question: How would I be able to give my customers access to the database
> so that they can update the customer table (for example address change) and
> add transactions to the transaction table. What I do not want to happen is
> that customer A is able to modify customer B's record.
> In short how would you restrict customer a to see transactions that pertain
> to him/her.
>
> Many thanks.

-- 
Joshua J. Kugler
Fairbanks, Alaska
Computer Consultant--Systems Designer
.--- --- ...  ..- .--.- ..- --. .-.. . .-.
[EMAIL PROTECTED]
ICQ#:13706295
Every knee shall bow, and every tongue confess, in heaven, on earth, and under 
the earth, that Jesus Christ is LORD -- Count on it!


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Paul DuBois]

At 20:39 -0600 3/10/04, Mulugeta Maru wrote:
Hi Mike,

I am sorry for the confusion I might have caused. May be it would help to
give a clear example.
Table - Customers (CustomerID, CustomerName, Address, etc)

Table - Transaction(TransactionID,CustomerID,Date,Amount)

Note: CustomerID in Customer Table is a Primary Key. TransactionID is a
Primary Key and CustomerID is a Foreign Key in Transaction Table).
Question: How would I be able to give my customers access to the database so
that they can update the customer table (for example address change) and add
transactions to the transaction table. What I do not want to happen is that
customer A is able to modify customer B's record.
In short how would you restrict customer a to see transactions that pertain
to him/her.
MySQL does not support row-level privileges, which is what you're asking
for.  You must enforce this kind of access policy by implementing it
in your application.
--
Paul DuBois, MySQL Documentation Team
Madison, Wisconsin, USA
MySQL AB, www.mysql.com
MySQL Users Conference: April 14-16, 2004
http://www.mysql.com/uc2004/
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Mulugeta Maru]

Hi Mike,

I am sorry for the confusion I might have caused. May be it would help to
give a clear example.

Table - Customers (CustomerID, CustomerName, Address, etc)

Table - Transaction(TransactionID,CustomerID,Date,Amount)

Note: CustomerID in Customer Table is a Primary Key. TransactionID is a
Primary Key and CustomerID is a Foreign Key in Transaction Table).

Question: How would I be able to give my customers access to the database so
that they can update the customer table (for example address change) and add
transactions to the transaction table. What I do not want to happen is that
customer A is able to modify customer B's record.
In short how would you restrict customer a to see transactions that pertain
to him/her.

Many thanks.
- Original Message - 
From: "Mike Johnson" <[EMAIL PROTECTED]>
To: "MySQL" <[EMAIL PROTECTED]>
Sent: Wednesday, March 10, 2004 4:55 PM
Subject: RE: Security


> From: Maru, Mulugeta [mailto:[EMAIL PROTECTED]
>
> > When I go online to access my bank account I only see
> > transactions pertain to my account only. I think when ever I
> > make a transaction the database records my account number in
> > the transaction table. When I log-in using my account number
> > and password the system checks whether it is correct or not
> > and run another query to get all transaction that match my
> > account number.
> >
> > Do I make sense?
>
>
> (sent offlist by mistake, please excuse the dupe)
>
> The point being made is that you're looking at your bank account
information in a client that is set to read records only pertaining to your
account.
>
> The native mysql client is not such a program and was never intended to
be. While you can customize access for users to certain databases or certain
tables within those databases, it's simply not built as a multi-user
transactional client for limiting access to data in commonly-used tables.
>
> It begs the question why you're giving your clients access to the native
mysql client itself rather than developing an application to do this, in
which you could quite easily limit such access.
>
>
> -- 
> Mike Johnson
> Web Developer
> Smarter Living, Inc.
> phone (617) 886-5539
>
> -- 
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
>
>


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Joshua J. Kugler]

Yes, you make sense.  But when you go in to access your bank account, you are 
not directly accessing the database.  The web application is opening the 
database and only returning rows in the table that pertain to you.  The web 
application can read all the rows; your user name has *no* read or write 
permissions to the database: the web application connects via its own 
username, and selects your account information from the database.

So, in other words, you need to keep a list of users separate from the list of 
MySQL users.  The mysql database controls which username/passwords can 
connect to the database.  Your user list would contain users which can log in 
to your system.

j- k-

On Wednesday 10 March 2004 01:47 pm, Maru, Mulugeta wrote:
> When I go online to access my bank account I only see transactions pertain
> to my account only. I think when ever I make a transaction the database
> records my account number in the transaction table. When I log-in using my
> account number and password the system checks whether it is correct or not
> and run another query to get all transaction that match my account number.
>
> Do I make sense?
>
> -Original Message-
> From: Joshua J. Kugler [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 10, 2004 5:34 PM
> To: Mulugeta Maru; MySQL
> Subject: Re: Security
>
>
> Only being able to see certain rows is not a function of MySQL, it is a
> function of the application you write for the user to access the database.
> If a user has permission to read a table, they can read all rows.  It is up
> to your application to make sure they are only seeing rows that apply to
> them.
>
> j- k-
>
> On Tuesday 09 March 2004 05:57 pm, Mulugeta Maru wrote:
> > Thank you for the kind response. May be I did not clearly ask the
> > question. The user table in mysql database is used to set-up a user and
> > password. Once I set-up my tables (customer, customer orders, customer
> > order details, etc) in say abc database what will I have to do to make
> > sure when customer A logs in to the database can only see his/her
> > account, orders, order details without getting access to other customer
> > accounts.
>
> --
> Joshua J. Kugler
> Fairbanks, Alaska
> Computer Consultant--Systems Designer
> .--- --- ...  ..- .--.- ..- --. .-.. . .-.
> [EMAIL PROTECTED]
> ICQ#:13706295
> Every knee shall bow, and every tongue confess, in heaven, on earth, and
> under the earth, that Jesus Christ is LORD -- Count on it!
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
>
> VisionTV proudly celebrates 15 years as Canada's multi-faith television
> network.

-- 
Joshua J. Kugler
Fairbanks, Alaska
Computer Consultant--Systems Designer
.--- --- ...  ..- .--.- ..- --. .-.. . .-.
[EMAIL PROTECTED]
ICQ#:13706295
Every knee shall bow, and every tongue confess, in heaven, on earth, and under 
the earth, that Jesus Christ is LORD -- Count on it!


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: Security

[Mike Johnson]

From: Maru, Mulugeta [mailto:[EMAIL PROTECTED]

> When I go online to access my bank account I only see 
> transactions pertain to my account only. I think when ever I 
> make a transaction the database records my account number in 
> the transaction table. When I log-in using my account number 
> and password the system checks whether it is correct or not 
> and run another query to get all transaction that match my 
> account number. 
> 
> Do I make sense?


(sent offlist by mistake, please excuse the dupe)

The point being made is that you're looking at your bank account information in a 
client that is set to read records only pertaining to your account.

The native mysql client is not such a program and was never intended to be. While you 
can customize access for users to certain databases or certain tables within those 
databases, it's simply not built as a multi-user transactional client for limiting 
access to data in commonly-used tables.

It begs the question why you're giving your clients access to the native mysql client 
itself rather than developing an application to do this, in which you could quite 
easily limit such access.


-- 
Mike Johnson
Web Developer
Smarter Living, Inc.
phone (617) 886-5539

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: Security

[Maru, Mulugeta]

When I go online to access my bank account I only see transactions pertain to my 
account only. I think when ever I make a transaction the database records my account 
number in the transaction table. When I log-in using my account number and password 
the system checks whether it is correct or not and run another query to get all 
transaction that match my account number. 

Do I make sense?

-Original Message-
From: Joshua J. Kugler [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 10, 2004 5:34 PM
To: Mulugeta Maru; MySQL
Subject: Re: Security


Only being able to see certain rows is not a function of MySQL, it is a 
function of the application you write for the user to access the database.  
If a user has permission to read a table, they can read all rows.  It is up 
to your application to make sure they are only seeing rows that apply to 
them.

j- k-

On Tuesday 09 March 2004 05:57 pm, Mulugeta Maru wrote:
> Thank you for the kind response. May be I did not clearly ask the question.
> The user table in mysql database is used to set-up a user and password.
> Once I set-up my tables (customer, customer orders, customer order details,
> etc) in say abc database what will I have to do to make sure when customer
> A logs in to the database can only see his/her account, orders, order
> details without getting access to other customer accounts.

-- 
Joshua J. Kugler
Fairbanks, Alaska
Computer Consultant--Systems Designer
.--- --- ...  ..- .--.- ..- --. .-.. . .-.
[EMAIL PROTECTED]
ICQ#:13706295
Every knee shall bow, and every tongue confess, in heaven, on earth, and under 
the earth, that Jesus Christ is LORD -- Count on it!


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

VisionTV proudly celebrates 15 years as Canada's multi-faith television network.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Joshua J. Kugler]

Only being able to see certain rows is not a function of MySQL, it is a 
function of the application you write for the user to access the database.  
If a user has permission to read a table, they can read all rows.  It is up 
to your application to make sure they are only seeing rows that apply to 
them.

j- k-

On Tuesday 09 March 2004 05:57 pm, Mulugeta Maru wrote:
> Thank you for the kind response. May be I did not clearly ask the question.
> The user table in mysql database is used to set-up a user and password.
> Once I set-up my tables (customer, customer orders, customer order details,
> etc) in say abc database what will I have to do to make sure when customer
> A logs in to the database can only see his/her account, orders, order
> details without getting access to other customer accounts.

-- 
Joshua J. Kugler
Fairbanks, Alaska
Computer Consultant--Systems Designer
.--- --- ...  ..- .--.- ..- --. .-.. . .-.
[EMAIL PROTECTED]
ICQ#:13706295
Every knee shall bow, and every tongue confess, in heaven, on earth, and under 
the earth, that Jesus Christ is LORD -- Count on it!


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Ed Curtis]

 I guess the easiest way to do this would be to index all transactions
with a user id number or something identifying the user. When they log in
to the site have the scripts only access the records for that person using
a WHERE clause in the queries. You would have to be able to keep track of
their user id for them via cookies or sessions or something though.

Ed Curtis


On Tue, 9 Mar 2004, Mulugeta Maru wrote:

> Thank you for the kind response. May be I did not clearly ask the question.
> The user table in mysql database is used to set-up a user and password. Once
> I set-up my tables (customer, customer orders, customer order details, etc)
> in say abc database what will I have to do to make sure when customer A logs
> in to the database can only see his/her account, orders, order details
> without getting access to other customer accounts.
>
> I hope my question is clear.
>
> Maru
> - Original Message -
> From: "Paul Rigor" <[EMAIL PROTECTED]>
> To: "Mulugeta Maru" <[EMAIL PROTECTED]>; "MySQL" <[EMAIL PROTECTED]>
> Sent: Tuesday, March 09, 2004 7:46 PM
> Subject: Re: Security
>
>
> > Heya,
> >
> > Those are the default databases that comes with the setup.  the "mysql"
> > database holds info on mysql accounts.  the "test" is an empty
> > database.  You should create a new database "CREATE DATABASE customers"
> > then "use customers"... after that... you can setup the tables you
> mentioned.
> >
> > Goodluck!
> > Paul
> >
> > At 06:34 PM 3/9/2004, Mulugeta Maru wrote:
> > >I have used access in the past and now I have started using MySQL. I have
> > >customer table, customer order table, customer order detail table. How
> > >would I make sure that when a particular customer log-in he/she sees only
> > >the account that is set-up for them. What confused me is that MySQL has a
> > >database called mysql and a table in this database called users that is
> > >used to set a user name and password for each user. I could not figure
> out
> > >how a user in my case a customer that has access to a customer table
> could
> > >be restricted to see his/her transaction only.
> > >
> > >Any insight is very much appreciated.
> >
> > _
> > Paul Rigor
> > [EMAIL PROTECTED]
> > Go Bruins!
> >
> >
> > --
> > MySQL General Mailing List
> > For list archives: http://lists.mysql.com/mysql
> > To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
> >
> >
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
>


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Mulugeta Maru]

Thank you for the kind response. May be I did not clearly ask the question.
The user table in mysql database is used to set-up a user and password. Once
I set-up my tables (customer, customer orders, customer order details, etc)
in say abc database what will I have to do to make sure when customer A logs
in to the database can only see his/her account, orders, order details
without getting access to other customer accounts.

I hope my question is clear.

Maru
- Original Message - 
From: "Paul Rigor" <[EMAIL PROTECTED]>
To: "Mulugeta Maru" <[EMAIL PROTECTED]>; "MySQL" <[EMAIL PROTECTED]>
Sent: Tuesday, March 09, 2004 7:46 PM
Subject: Re: Security


> Heya,
>
> Those are the default databases that comes with the setup.  the "mysql"
> database holds info on mysql accounts.  the "test" is an empty
> database.  You should create a new database "CREATE DATABASE customers"
> then "use customers"... after that... you can setup the tables you
mentioned.
>
> Goodluck!
> Paul
>
> At 06:34 PM 3/9/2004, Mulugeta Maru wrote:
> >I have used access in the past and now I have started using MySQL. I have
> >customer table, customer order table, customer order detail table. How
> >would I make sure that when a particular customer log-in he/she sees only
> >the account that is set-up for them. What confused me is that MySQL has a
> >database called mysql and a table in this database called users that is
> >used to set a user name and password for each user. I could not figure
out
> >how a user in my case a customer that has access to a customer table
could
> >be restricted to see his/her transaction only.
> >
> >Any insight is very much appreciated.
>
> _
> Paul Rigor
> [EMAIL PROTECTED]
> Go Bruins!
>
>
> -- 
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
>
>


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Paul Rigor]

Heya,

Those are the default databases that comes with the setup.  the "mysql" 
database holds info on mysql accounts.  the "test" is an empty 
database.  You should create a new database "CREATE DATABASE customers" 
then "use customers"... after that... you can setup the tables you mentioned.

Goodluck!
Paul
At 06:34 PM 3/9/2004, Mulugeta Maru wrote:
I have used access in the past and now I have started using MySQL. I have 
customer table, customer order table, customer order detail table. How 
would I make sure that when a particular customer log-in he/she sees only 
the account that is set-up for them. What confused me is that MySQL has a 
database called mysql and a table in this database called users that is 
used to set a user name and password for each user. I could not figure out 
how a user in my case a customer that has access to a customer table could 
be restricted to see his/her transaction only.

Any insight is very much appreciated.
_
Paul Rigor
[EMAIL PROTECTED]
Go Bruins! 

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security issues

[John Leach]

On Wed, 2004-01-14 at 13:32, Chris W wrote:
> Are there many php or mysql configuration considerations for making the 
> site secure?  I have already done the obvious with my sql and set up the 
> grant tables with passwords for all users and removed the [EMAIL PROTECTED] user.

Give the MySQL user you're using only the minimum permissions.  I doubt
your web app will need to ALTER table structures for example.

I like to use privilege separation.  In my code I have different MySQL
users with different permission.  One might have read-write access
(SELECT, INSERT, UPDATE etc.) and another has read-only.  I then use
these users appropriately throughout my code.  For example, a script
that searches a table uses the read-only user.  Then no matter how
clever the attacker is, they won't be able to DELETE all my data by
exploiting that code.

John.
-- 
GPG: B89C D450 5B2C 74D8 58FB  A360 9B06 B5C2 26F0 3047
URL: http://www.johnleach.co.uk


signature.asc
Description: This is a digitally signed message part

Re: Security Question

[Sergei Golubchik]

Hi!

On Nov 27, DeBug wrote:
> >>>- Someone copies the DB files to another box, starts a mysql
> >>>instance, loads the DB and presto - views the 'private' data !!!
> >>>
> 
> PD> Sure.  That's why you establish filesystem level access privileges so that
> PD> only the mysql user can copy them in the first place.
> 
> Some DBMSs allow to setup databases on a separate partition with its
> own filesystem that will have nothing in common with OS filesystem.
> OS is unable to read DBMS filesystem data.
> So getting root on OS does not give the hacker access to the DBMS file
> system and only DBMS users can access it.

No, getting root gives access to each and every byte on the hard drive.
He can read the partition where the data are. And if he is prepared, he
can interpret them, of course (we are not talikng about script kiddies
here, do we ?).

Or, he can patch the in-memory image of the running db process and
access the data through it.
 
Regards,
Sergei

-- 
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, Senior Software Developer
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
   <___/  www.mysql.com

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: Security Question

[Andy Eastham]

Thomas,

It would be more secure if you has the DB on another server that was locked
down and only allowed access to the web server on the MySql port, (plus
probably ssh access for admin).

If you're going to the expense of audits, this must be fairly important, so
the cost of the other server would not be too significant?

Best regards,

Andy

> -Original Message-
> From: Curley, Thomas [mailto:[EMAIL PROTECTED]
> Sent: 26 November 2003 13:22
> To: [EMAIL PROTECTED]
> Subject: RE: Security Question
> Importance: High
>
>
> thanks for reply - the requirement comes from a security audit -
> so try to think in terms of a hacker
>
> Obviously and (I had assumed)
> 1.- the files would have tight unix security file permissions applied
> 2.- indeed the key would be stored on an internal tightly
> managed box (or device)
>
> Another Assumption
> --
> Encrypting / decrypting all data on the fly would be too
> expensive and grind the app to a halt
>
> So the question again :-
>
>   Any ideas on how to avoid having data files stored with
> absolutely no protection against copying 
>
>
> If there is no solution to this then MySql should not be used on
> internet accessible boxes for dynamic web sites
>
>
> Thomas
>
>
>
>
>
>
> -Original Message-
> From: Fagyal, Csongor [mailto:[EMAIL PROTECTED]
> Sent: 26 November 2003 12:51
> To: Curley, Thomas
> Cc: [EMAIL PROTECTED]
> Subject: Re: Security Question
>
>
> Thomas,
>
> >I am trying to find a solution to the following security issue
> with MySql DB on linux
> >
> >- Someone copies the DB files to another box, starts a mysql
> instance, loads the DB and presto - views the 'private' data !!!
> >
> >
> Well, "someone" should not have access rights to the DB files on the
> first hand.
>
> >Ideally I would like to know if there is any option in MySql to
> store the DB files in a secure format and one that needs a key or
> similiar to open the DB
> >
> >
> If someone was able to access your DB files, he would probably also be
> able to access that key (that you must store _somewhere_), wouldn't he?
>
> - Csongor
>
>
> **
> ***
> This email and any attachments are confidential and intended for
> the sole use of the intended recipient(s).If you receive this
> email in error please notify [EMAIL PROTECTED] and delete
> it from your system. Any unauthorized dissemination,
> retransmission, or copying of this email and any attachments is
> prohibited. Euroconex does not accept any responsibility for any
> breach of confidence, which may arise from the use of email.
> Please note that any views or opinions presented in this email
> are solely those of the author and do not necessarily represent
> those of the Company. This message has been scanned for known
> computer viruses.
> **
> ***
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:
> http://lists.mysql.com/[EMAIL PROTECTED]
>
>



-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[mos]

At 03:21 PM 11/26/2003, you wrote:

If someone can copy your database files, you're hosed.  All the attacker
need do is start the server with --skip-grant-tables, and he can can
connect to it with no password, and has complete access to any files
managed by the server.
Paul & Curley,
And of course if they have physical access to the machine 
they can remove your hard drive and put them into their own machine as a 
slave. Hot swapable drives makes removal fast and easy; you don't even need 
a screwdriver.  So if your data is worth something, make sure there are 
good locks on the door and check everyone's bag on the way out.

If you think this can't happen, a mega bookstore opened up in town 
and they had their file sever/database sever sitting beside a desk in the 
common area. I guess they were in a hurry to set it up and get the 
terminals up and running. Well a few days later the system went down and in 
a few minutes the techie went over to check it out. Well, their tower 
computer had disappeared. Apparently someone had disconnected (or cut the 
cables) it and snuck it out the door under a trench coat. It took less than 
60 seconds and their data was gone, customer lists, vendor info, and credit 
card data now belonged to someone else. I don't know what database they 
were using, but once your hard drives are gone or copied or backed up, your 
data is vulnerable unless you're using encryption that is independent of 
the OS.

Mike 



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Paul DuBois]

At 16:13 -0500 11/26/03, Kevin Carlson wrote:
Curley, Thomas wrote:

I am trying to find a solution to the following security issue with 
MySql DB on linux

- Someone copies the DB files to another box, starts a mysql 
instance, loads the DB and presto - views the 'private' data !!!


As all the other posters have mentioned, you should have tight file 
level security set up.  However, if you use basic mysql user 
authentication, even copying the files over shouldn't allow them to 
view the information in a database since they would need the mysql 
user/passwd to do anything.  Which got me to thinkingis this the 
case?  If I am using MyISAM tables and just port them over to a 
different box with a different security scheme, would I be allowed 
to view those MyISAM tables?  Also, is this the case for InnoDB as 
well?
Sure.  That's why you establish filesystem level access privileges so that
only the mysql user can copy them in the first place.
If someone can copy your database files, you're hosed.  All the attacker
need do is start the server with --skip-grant-tables, and he can can
connect to it with no password, and has complete access to any files
managed by the server.
--
Paul DuBois, Senior Technical Writer
Madison, Wisconsin, USA
MySQL AB, www.mysql.com
Are you MySQL certified?  http://www.mysql.com/certification/

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Kevin Carlson]

Curley, Thomas wrote:

I am trying to find a solution to the following security issue with MySql DB on linux

- Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!!

 

As all the other posters have mentioned, you should have tight file 
level security set up.  However, if you use basic mysql user 
authentication, even copying the files over shouldn't allow them to view 
the information in a database since they would need the mysql 
user/passwd to do anything.  Which got me to thinkingis this the 
case?  If I am using MyISAM tables and just port them over to a 
different box with a different security scheme, would I be allowed to 
view those MyISAM tables?  Also, is this the case for InnoDB as well?



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: Security Question

[mos]

At 07:22 AM 11/26/2003, you wrote:

Another Assumption
--
Encrypting / decrypting all data on the fly would be too expensive and 
grind the app to a halt
Not true. There are some databases that can encrypt records on the fly 
without any speed degradation (< 1%) using either Blowfish or AES. The data 
record, index, blob fields (memos) are all encrypted so if someone walks 
away with your database files, they are all gibberish. The transmission of 
the password over the network is also encrypted. See 
www.advantagedatabase.com for a Windows/Linux solution. (Unfortunately 
their free ALS version has a license agreement that does NOT permit its use 
on a web server.)

If you have physical access to the web server then simply entering the 
password will get the database app up and running. Or there are various 
means to send the encrypted time sensitive password to the webserver so it 
can open the database. Anyone sniffing for the password will be out of luck.

I too would love to have MySQL encrypt the records on he fly, especially if 
it is on a shared webserver. OS security will only get you so far. Other 
database companies have implemented  transparent record encryption quite 
effectively, and I'm still waiting for MySQL to realize the importance of 
encryption.

Mike ( holding breath :-0 )



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Glenn Stauffer]

Stefan Kuhn wrote:

To the chap who siad its not a DB issue - I will check with Oracle but I'm
sure that dropping in a directory in oracle will not give you full access
to a database (a clear one that is)
   

The chap was me :-) I'm sure it does on oracle. Once you have an Oracle 
installation and got hold of all database files (which is easy once an 
intruder got root on the machine) you have access to all data. Even oracle 
can't do anything about this, but there might be two difficulties with oracle 
compared to mysql: You need the oracle software (expensive, but do hackers 
buy software?) and it might be that the files are spread all over the 
computer and hard to find. But basically, it is the same with oracle (but I 
never used oracle, this is common sense).
Stefan

 

It isn't quite as simple as copying the datafiles to a new server and 
opening the Oracle database.  There are controlfiles to deal with and a 
somewhat complex process to follow.  But, Oracle documentation and 
Oracle database software is freely downloadable over the net, so a 
determined theif would be able to access your data without too much problem.

It is far easier, however, if you can root an Oracle box, to become the 
software owner, change the sys/system password (database root), export 
the database and either import that file into another Oracle database or 
just do a strings on it to get readable data.

You can do all that, anyway, faster than copying all of the datafiles 
off the server.

--

Glenn Stauffer



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Sergei Golubchik]

Hi!

On Nov 26, Curley, Thomas wrote:
> thanks for reply - the requirement comes from a security audit - so
> try to think in terms of a hacker
> 
> Obviously and (I had assumed)
> 1.- the files would have tight unix security file permissions
> applied
> 2.- indeed the key would be stored on an internal tightly managed
> box (or device)
> 
> Another Assumption
> --
> Encrypting / decrypting all data on the fly would be too expensive and
> grind the app to a halt
> 
> So the question again :-
>   
> Any ideas on how to avoid having data files stored with absolutely no
> protection against copying 

Just as you said above - "tight unix security file permissions".
That is - database files should be readable ONLY by the dedicated
"mysql" user. Thus if somebody breaks in he will need to be root to copy
these files. And if he can get root - no encryption will help, he can
get the key straight from the mysqld memory image (via /proc/*/mem)
or patch the server (again via /proc/*/mem) to decrypt all the data for
him, or hijack your connections to the server and record all the traffic
or anything. If somebody got root - you lost. Until he did - unix
permissions will help.
 
> If there is no solution to this then MySql should not be used on
> internet accessible boxes for dynamic web sites

See above. Web server should be on this "internet accessible box",
shouldn't it ? And it (or a CGI program) should be able to talk to
mysqld (which resides on a dedicated secure box), and it should know the
password. So if somebody can get into the box with httpd - he'll be able
to access mysqld too.

Regards,
Sergei

-- 
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, Senior Software Developer
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
   <___/  www.mysql.com

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Mikael Fridh]

Hacker gets in this way:
->[Webserver][rooted]->[DBServer][rooted]->File_Access(/var/lib/mysql/database)

I'd say the "major security breach" is already when the Webserver is rooted.^
If he gets to your webserver he could still read WHATEVER DATA he wants from 
your database with the information he finds in your site's code.


Look at below example: (Use Fixed Font)

Internet
   |
(80,443)--- <- firewall w/ webports open
   |
Webserver
   |
(3306)- <- another one allowing mysql access
   |
DBServer

Since you have a bulkhead between your servers your DBServer is completely* 
safe from anyone getting file-level access to it.

But, since you have a working webserver with scripts and functions to access 
the database he can still access any data he wants from the database server.

Stop worrying so much about mysql's filelevel security.
If your webserver is rooted you are toast anyway!


Mike

^Your security review needs to be reviewed?
*Unless there's a security hole in mysql allowing code/command execution.


On Wednesday 26 November 2003 14.43, Curley, Thomas wrote:
> Mike
>
> Correct and this is the architecture.  The internet facing box has a
> routable IP, the DB box is separate and is not ext routable.
>
> The issue the security review highlighted strongly was the fact that if a
> hacker got access to the box (however) then copying /var/lib/mysql/database
> would result in a major security breach
>
> To the chap who siad its not a DB issue - I will check with Oracle but I'm
> sure that dropping in a directory in oracle will not give you full access
> to a database (a clear one that is)
>
> Thomas
>


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Stefan Kuhn]

> To the chap who siad its not a DB issue - I will check with Oracle but I'm
> sure that dropping in a directory in oracle will not give you full access
> to a database (a clear one that is)
The chap was me :-) I'm sure it does on oracle. Once you have an Oracle 
installation and got hold of all database files (which is easy once an 
intruder got root on the machine) you have access to all data. Even oracle 
can't do anything about this, but there might be two difficulties with oracle 
compared to mysql: You need the oracle software (expensive, but do hackers 
buy software?) and it might be that the files are spread all over the 
computer and hard to find. But basically, it is the same with oracle (but I 
never used oracle, this is common sense).
Stefan

-- 
Stefan Kuhn M. A.
Cologne University BioInformatics Center (http://www.cubic.uni-koeln.de)
Zülpicher Str. 47, 50674 Cologne
Tel: +49(0)221-470-7428   Fax: +49 (0) 221-470-7786
My public PGP key is available at http://pgp.mit.edu


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Duncan Hill]

On Wednesday 26 November 2003 13:43, Curley, Thomas wrote:
> Mike
>
> Correct and this is the architecture.  The internet facing box has a
> routable IP, the DB box is separate and is not ext routable.
>
> The issue the security review highlighted strongly was the fact that if a
> hacker got access to the box (however) then copying /var/lib/mysql/database
> would result in a major security breach
>
> To the chap who siad its not a DB issue - I will check with Oracle but I'm
> sure that dropping in a directory in oracle will not give you full access
> to a database (a clear one that is)

In the end, it's all tradeoffs.  You could put an encryption algorithm into 
your web interface, but then the key is public.  However, cracking the DB 
server only gets you encrypted data. Tradeoff?  Speed.

Best data security practice (silly) - don't have the data in the first place.


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: Security Question

[Curley, Thomas]

Mike

Correct and this is the architecture.  The internet facing box has a routable IP, the 
DB box is separate and is not ext routable.

The issue the security review highlighted strongly was the fact that if a hacker got 
access to the box (however) then copying /var/lib/mysql/database would result in a 
major security breach

To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that 
dropping in a directory in oracle will not give you full access to a database (a clear 
one that is)

Thomas









-Original Message-
From: Mike Brum [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 13:36
To: Curley, Thomas; [EMAIL PROTECTED]
Subject: RE: Security Question


One of the first things that I did at my former job was to turn off all
external-facing network adapters to our DB machines. If you're fortunate
enough that your DB resides on it's own box and not the webserver itself,
then there's really no reason that you *need* to have it externally facing.
There are PLENTY of solutions that you can put in place in order to still
have remote access to those machines without them having an externally
routable IP.

While it is possible for a hacker to compromise one machine and then access
the DB machine over your internal WAN at the hosting location, the more
roadblocks you put between a potential hacker and your sensitive data, the
better.

-M


-Original Message-
From: Curley, Thomas [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 26, 2003 8:22 AM
To: [EMAIL PROTECTED]
Subject: RE: Security Question
Importance: High


thanks for reply - the requirement comes from a security audit - so try to
think in terms of a hacker

Obviously and (I had assumed)
1.  - the files would have tight unix security file permissions applied
2.  - indeed the key would be stored on an internal tightly managed box
(or device)

Another Assumption
--
Encrypting / decrypting all data on the fly would be too expensive and grind
the app to a halt

So the question again :-

Any ideas on how to avoid having data files stored with absolutely
no protection against copying 


If there is no solution to this then MySql should not be used on internet
accessible boxes for dynamic web sites


Thomas






-Original Message-
From: Fagyal, Csongor [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 12:51
To: Curley, Thomas
Cc: [EMAIL PROTECTED]
Subject: Re: Security Question


Thomas,

>I am trying to find a solution to the following security issue with 
>MySql DB on linux
>
>- Someone copies the DB files to another box, starts a mysql instance, 
>loads the DB and presto - views the 'private' data !!!
>  
>
Well, "someone" should not have access rights to the DB files on the 
first hand.

>Ideally I would like to know if there is any option in MySql to store 
>the DB files in a secure format and one that needs a key or similiar to
open the DB
>  
>
If someone was able to access your DB files, he would probably also be 
able to access that key (that you must store _somewhere_), wouldn't he?

- Csongor



*
This email and any attachments are confidential and intended for the sole
use of the intended recipient(s).If you receive this email in error please
notify [EMAIL PROTECTED] and delete it from your system. Any
unauthorized dissemination, retransmission, or copying of this email and any
attachments is prohibited. Euroconex does not accept any responsibility for
any breach of confidence, which may arise from the use of email. Please note
that any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of the Company. This message
has been scanned for known computer viruses. 

*

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

*
This email and any attachments are confidential and intended for the sole use of the 
intended recipient(s).If you receive this email in error please notify [EMAIL 
PROTECTED] and delete it from your system. Any unauthorized dissemination, 
retransmission, or copying of this email and any attachments is prohibited. Euroconex 
does not accept any responsibility for any breach of confidence, which may arise from 
the use of email. Please note that any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of the Company. This 
message has been scanned for known computer viruses. 
*

--
MySQL Gener

RE: Security Question

[Mike Brum]

One of the first things that I did at my former job was to turn off all
external-facing network adapters to our DB machines. If you're fortunate
enough that your DB resides on it's own box and not the webserver itself,
then there's really no reason that you *need* to have it externally facing.
There are PLENTY of solutions that you can put in place in order to still
have remote access to those machines without them having an externally
routable IP.

While it is possible for a hacker to compromise one machine and then access
the DB machine over your internal WAN at the hosting location, the more
roadblocks you put between a potential hacker and your sensitive data, the
better.

-M


-Original Message-
From: Curley, Thomas [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 26, 2003 8:22 AM
To: [EMAIL PROTECTED]
Subject: RE: Security Question
Importance: High


thanks for reply - the requirement comes from a security audit - so try to
think in terms of a hacker

Obviously and (I had assumed)
1.  - the files would have tight unix security file permissions applied
2.  - indeed the key would be stored on an internal tightly managed box
(or device)

Another Assumption
--
Encrypting / decrypting all data on the fly would be too expensive and grind
the app to a halt

So the question again :-

Any ideas on how to avoid having data files stored with absolutely
no protection against copying 


If there is no solution to this then MySql should not be used on internet
accessible boxes for dynamic web sites


Thomas






-Original Message-
From: Fagyal, Csongor [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 12:51
To: Curley, Thomas
Cc: [EMAIL PROTECTED]
Subject: Re: Security Question


Thomas,

>I am trying to find a solution to the following security issue with 
>MySql DB on linux
>
>- Someone copies the DB files to another box, starts a mysql instance, 
>loads the DB and presto - views the 'private' data !!!
>  
>
Well, "someone" should not have access rights to the DB files on the 
first hand.

>Ideally I would like to know if there is any option in MySql to store 
>the DB files in a secure format and one that needs a key or similiar to
open the DB
>  
>
If someone was able to access your DB files, he would probably also be 
able to access that key (that you must store _somewhere_), wouldn't he?

- Csongor



*
This email and any attachments are confidential and intended for the sole
use of the intended recipient(s).If you receive this email in error please
notify [EMAIL PROTECTED] and delete it from your system. Any
unauthorized dissemination, retransmission, or copying of this email and any
attachments is prohibited. Euroconex does not accept any responsibility for
any breach of confidence, which may arise from the use of email. Please note
that any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of the Company. This message
has been scanned for known computer viruses. 

*

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Stefan Kuhn]

Well, I'm not an expert on security, but I don't think this is a database 
issue. It is really a file/operating system issue. I don't think you can do 
anything in the database against copying the files. If somebody has access on 
file system level, the dbms is powerless. So I think you need to think about 
the OS.
Stefan

Am Wednesday 26 November 2003 14:22 schrieb Curley, Thomas:
> thanks for reply - the requirement comes from a security audit - so try to
> think in terms of a hacker
>
> Obviously and (I had assumed)
> 1.- the files would have tight unix security file permissions applied
> 2.- indeed the key would be stored on an internal tightly managed box (or
> device)
>
> Another Assumption
> --
> Encrypting / decrypting all data on the fly would be too expensive and
> grind the app to a halt
>
> So the question again :-
>
>   Any ideas on how to avoid having data files stored with absolutely no
> protection against copying 
>
>
> If there is no solution to this then MySql should not be used on internet
> accessible boxes for dynamic web sites
>
>
> Thomas
>
>
>
>
>
>
> -Original Message-
> From: Fagyal, Csongor [mailto:[EMAIL PROTECTED]
> Sent: 26 November 2003 12:51
> To: Curley, Thomas
> Cc: [EMAIL PROTECTED]
> Subject: Re: Security Question
>
>
> Thomas,
>
> >I am trying to find a solution to the following security issue with MySql
> > DB on linux
> >
> >- Someone copies the DB files to another box, starts a mysql instance,
> > loads the DB and presto - views the 'private' data !!!
>
> Well, "someone" should not have access rights to the DB files on the
> first hand.
>
> >Ideally I would like to know if there is any option in MySql to store the
> > DB files in a secure format and one that needs a key or similiar to open
> > the DB
>
> If someone was able to access your DB files, he would probably also be
> able to access that key (that you must store _somewhere_), wouldn't he?
>
> - Csongor
>
>
> ***
>** This email and any attachments are confidential and
> intended for the sole use of the intended recipient(s).If you receive this
> email in error please notify [EMAIL PROTECTED] and delete it from
> your system. Any unauthorized dissemination, retransmission, or copying of
> this email and any attachments is prohibited. Euroconex does not accept any
> responsibility for any breach of confidence, which may arise from the use
> of email. Please note that any views or opinions presented in this email
> are solely those of the author and do not necessarily represent those of
> the Company. This message has been scanned for known computer viruses.
> ***
>**

-- 
Stefan Kuhn M. A.
Cologne University BioInformatics Center (http://www.cubic.uni-koeln.de)
Zülpicher Str. 47, 50674 Cologne
Tel: +49(0)221-470-7428   Fax: +49 (0) 221-470-7786
My public PGP key is available at http://pgp.mit.edu


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Duncan Hill]

On Wednesday 26 November 2003 13:22, Curley, Thomas wrote:
> Another Assumption
> --
> Encrypting / decrypting all data on the fly would be too expensive and
> grind the app to a halt
>
> So the question again :-
>
>   Any ideas on how to avoid having data files stored with absolutely no
> protection against copying 

To look at it from another angle  (and address the 'shouldn't be on the 
internet' issue), take the case of a webserver that has a script that can 
access the SQL server.  Said SQL server is on a private, internal only 
network, with no access to the internet.  Said script has a username and 
password that can read 'private' data.  Someone is able to see the source if 
the script, and now has the username and password (assumption: the viewing is 
done from a local shell).  How is having the SQL server hidden from the 
internet a benefit?  

So long as you provide any mechanism to access the server, you cannot consider 
the server data to be private, unless you redefine the word private.

If you want to keep data on an SQL server, and not let people copy the 
database, then don't give them a login on the SQL server, and don't give them 
a username/password for connecting to the SQL engine.

How do you stop someone from copying a piece of paper in an office?  You lock 
it away from them.  Or them from it.


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: Security Question

[Curley, Thomas]

thanks for reply - the requirement comes from a security audit - so try to think in 
terms of a hacker

Obviously and (I had assumed)
1.  - the files would have tight unix security file permissions applied
2.  - indeed the key would be stored on an internal tightly managed box (or device)

Another Assumption
--
Encrypting / decrypting all data on the fly would be too expensive and grind the app 
to a halt

So the question again :-

Any ideas on how to avoid having data files stored with absolutely no 
protection against copying 


If there is no solution to this then MySql should not be used on internet accessible 
boxes for dynamic web sites


Thomas






-Original Message-
From: Fagyal, Csongor [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 12:51
To: Curley, Thomas
Cc: [EMAIL PROTECTED]
Subject: Re: Security Question


Thomas,

>I am trying to find a solution to the following security issue with MySql DB on linux
>
>- Someone copies the DB files to another box, starts a mysql instance, loads the DB 
>and presto - views the 'private' data !!!
>  
>
Well, "someone" should not have access rights to the DB files on the 
first hand.

>Ideally I would like to know if there is any option in MySql to store the DB files in 
>a secure format and one that needs a key or similiar to open the DB
>  
>
If someone was able to access your DB files, he would probably also be 
able to access that key (that you must store _somewhere_), wouldn't he?

- Csongor


*
This email and any attachments are confidential and intended for the sole use of the 
intended recipient(s).If you receive this email in error please notify [EMAIL 
PROTECTED] and delete it from your system. Any unauthorized dissemination, 
retransmission, or copying of this email and any attachments is prohibited. Euroconex 
does not accept any responsibility for any breach of confidence, which may arise from 
the use of email. Please note that any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of the Company. This 
message has been scanned for known computer viruses. 
*

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security Question

[Fagyal, Csongor]

Thomas,

I am trying to find a solution to the following security issue with MySql DB on linux

- Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!!
 

Well, "someone" should not have access rights to the DB files on the 
first hand.

Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB
 

If someone was able to access your DB files, he would probably also be 
able to access that key (that you must store _somewhere_), wouldn't he?

- Csongor



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security related! Not possible to hide table structure. I couldn't find..... ?

[Yves Goergen]

what is so bad at seeing the table structure?
i mean to work with the table, you need to know the fields and their types to avoid 
syntax errors.
and what should happen on a SELECT * FROM...? do you want to see nothing, because it 
would let the user know about the structure, or all fields, as normal? or what about 
sql admin progs like phpmyadmin? i think they rely on getting all the fields to show a 
table.

i've heard about table views in mysql 5. would that already be a solution for that?

-yves

 
-Ursprüngliche Nachricht- 
Von: "Rudy Metzger" <[EMAIL PROTECTED]>
An: <[EMAIL PROTECTED]>
Gesendet: Montag, 4. August 2003 14:50
Betreff: RE: Security related! Not possible to hide table structure. I couldn't 
find. ?


If you give access rights to a user on a DB, he will always be able to
see the table structure. This is how it is implemented in MySQL (which
does not mean that I like this).

 

Cheers

/rudy

 

-Original Message-
From: QWERTY [mailto:[EMAIL PROTECTED] 
Sent: maandag 4 augustus 2003 14:47
To: [EMAIL PROTECTED]
Subject: Security related! Not possible to hide table structure. I
couldn't find. ?

 

Hello,

 

Think that we have a database named DATABASE1, and table named TABLE1,
and fields named FIELD1, FIELD1,FIELD2,FIELD3,FIELD4

 

You want to give a specific permission to a user named USER1

 

For ex, you give only SELECT permission to USER1 for FIELD1 and FIELD4
in TABLE1 and DATABASE1.

and you did not assign any other permission to USER1.

 

Now everything is OK! USER1 can only select FIELD1 and FIELD4, and can
not see data or change or etc.. to FIELD2 or FIELD3..

 

So we think that everything is OK! But, USER1 is still able to see the
table structure of TABLE1. He see fields which i don't want him to see!

 

As i searched internet related to this topic i couldn't find any
satistfactory solution to this one.

 

Anyone has idea to prevent USER1 to be able to see table structure and
only permission to SELECT FIELD1 and FIELD4 as i assigned?

 

Also there should be some default error message for these users when
they try to select from another field. why? Because if my  first
question gets answered and solved, then, USER1 can try to SELECT FIELD3
FROM TABLE1.. .and it will say something like "you have no permission
for FIELD3"

insted of this, it can be "This field does not exist"..

 

Thanks.

QWERTY

 

 

 


 <http://www.incredimail.com/redir.asp?ad_id=309&lang=9>   IncrediMail -
Email has finally evolved - Click Here
<http://www.incredimail.com/redir.asp?ad_id=309&lang=9> 



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: Security related! Not possible to hide table structure. I couldn't find..... ?

[Rudy Metzger]

If you give access rights to a user on a DB, he will always be able to
see the table structure. This is how it is implemented in MySQL (which
does not mean that I like this).

 

Cheers

/rudy

 

-Original Message-
From: QWERTY [mailto:[EMAIL PROTECTED] 
Sent: maandag 4 augustus 2003 14:47
To: [EMAIL PROTECTED]
Subject: Security related! Not possible to hide table structure. I
couldn't find. ?

 

Hello,

 

Think that we have a database named DATABASE1, and table named TABLE1,
and fields named FIELD1, FIELD1,FIELD2,FIELD3,FIELD4

 

You want to give a specific permission to a user named USER1

 

For ex, you give only SELECT permission to USER1 for FIELD1 and FIELD4
in TABLE1 and DATABASE1.

and you did not assign any other permission to USER1.

 

Now everything is OK! USER1 can only select FIELD1 and FIELD4, and can
not see data or change or etc.. to FIELD2 or FIELD3..

 

So we think that everything is OK! But, USER1 is still able to see the
table structure of TABLE1. He see fields which i don't want him to see!

 

As i searched internet related to this topic i couldn't find any
satistfactory solution to this one.

 

Anyone has idea to prevent USER1 to be able to see table structure and
only permission to SELECT FIELD1 and FIELD4 as i assigned?

 

Also there should be some default error message for these users when
they try to select from another field. why? Because if my  first
question gets answered and solved, then, USER1 can try to SELECT FIELD3
FROM TABLE1.. .and it will say something like "you have no permission
for FIELD3"

insted of this, it can be "This field does not exist"..

 

Thanks.

QWERTY

 

 

 


    IncrediMail -
Email has finally evolved - Click Here
 

Re: Security

[gerald_clark]

Read the section of the manual on table types.
Different table drivers offer differnt types of locking.
ISAM and MYISAM don't,
but BDB and INNODB types offer different types of row and or page  locking.
[EMAIL PROTECTED] wrote:

Hello,

I would like to know if MySQL allows for record locking.  Also, what other 
security features does MySQL have?

Thank you.

Cynde

 



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: Security

[Brian McCain]

>From the fine manual:

"4.2 General Security Issues and the MySQL Access Privilege System
MySQL has an advanced but non-standard security/privilege system. This
section describes how it works."

http://www.mysql.com/doc/en/Privilege_system.html

Brian McCain

- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, April 04, 2003 9:47 AM
Subject: Security


> Hello,
>
> I would like to know if MySQL allows for record locking.  Also, what other
> security features does MySQL have?
>
> Thank you.
>
> Cynde
>


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

re: Re: Security issues with LOAD DATA

[Egor Egorov]

 This also does not enable me to upload a data file. My resulting SQL
cardrdc> statement reads:

cardrdc> LOAD DATA LOCAL '/tmp/phpgPhl51' INTO TABLE test FIELDS TERMINATED BY ','
cardrdc> ENCLOSED BY '"' ESCAPED BY '\\' LINES TERMINATED BY '\r\n'

cardrdc> I have also tried:
cardrdc> LOAD DATA LOCAL INFILE '/tmp/phpgPhl51' INTO TABLE test FIELDS TERMINATED BY
cardrdc> ',' ENCLOSED BY '"' ESCAPED BY '\\' LINES TERMINATED BY '\r\n'

And? What did you get? Error or what?

cardrdc> My hosting provider claims that I have no choice in this matter because of
cardrdc> the security reference you have noted. However I find it hard to believe
cardrdc> that this privilege can't be granted on a user by user basis as you would
cardrdc> GRANT INSERT, DELETE...and so on.

File privilege for LOAD DATA is a global level privilege.




-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Egor Egorov
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
   <___/   www.mysql.com




-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security issues with LOAD DATA

[cwilli14]

This also does not enable me to upload a data file. My resulting SQL
statement reads:

LOAD DATA LOCAL '/tmp/phpgPhl51' INTO TABLE test FIELDS TERMINATED BY ','
ENCLOSED BY '"' ESCAPED BY '\\' LINES TERMINATED BY '\r\n'

I have also tried:
LOAD DATA LOCAL INFILE '/tmp/phpgPhl51' INTO TABLE test FIELDS TERMINATED BY
',' ENCLOSED BY '"' ESCAPED BY '\\' LINES TERMINATED BY '\r\n'

My hosting provider claims that I have no choice in this matter because of
the security reference you have noted. However I find it hard to believe
that this privilege can't be granted on a user by user basis as you would
GRANT INSERT, DELETE...and so on.

I am also puzzled that I have the ability to perform this task from the
phpmyadmin utility provided with my hosting account.

Regards,
Chris

- Original Message -
From: "Egor Egorov" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, December 03, 2002 5:50 AM
Subject: re: Security issues with LOAD DATA


> Chris,
> Tuesday, December 03, 2002, 6:58:39 AM, you wrote:
>
> CW> I developed a PHP application where users can update a mySQL table
using
> CW> LOAD DATA. Recently I installed this application on another web server
where
> CW> the File Permissions have been set such that this method of uploading
data
> CW> is no longer valid. Since phpMyAdmin is not an option I am trying to
find an
> CW> alternative or workaround such that users can upload a comma delimited
text
> CW> file containing the table records.
>
> If user doesn't have FILE privilege you can use LOAD DATA LOCAL, but
> in this case you should enable something:
>  http://www.mysql.com/doc/en/LOAD_DATA_LOCAL.html
>
>
>
>
> --
> For technical support contracts, goto https://order.mysql.com/?ref=ensita
> This email is sponsored by Ensita.net http://www.ensita.net/
>__  ___ ___   __
>   /  |/  /_ __/ __/ __ \/ /Egor Egorov
>  / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
> /_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
><___/   www.mysql.com
>
>
>
>
> -
> Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

re: Security issues with LOAD DATA

[Egor Egorov]

Chris,
Tuesday, December 03, 2002, 6:58:39 AM, you wrote:

CW> I developed a PHP application where users can update a mySQL table using
CW> LOAD DATA. Recently I installed this application on another web server where
CW> the File Permissions have been set such that this method of uploading data
CW> is no longer valid. Since phpMyAdmin is not an option I am trying to find an
CW> alternative or workaround such that users can upload a comma delimited text
CW> file containing the table records.

If user doesn't have FILE privilege you can use LOAD DATA LOCAL, but
in this case you should enable something: 
 http://www.mysql.com/doc/en/LOAD_DATA_LOCAL.html




-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Egor Egorov
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
   <___/   www.mysql.com




-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

re: Security question

[Egor Egorov]

Daniel,
Monday, October 28, 2002, 1:06:10 AM, you wrote:

DLS> In my mysql.db file, I have some lines like:

DLS> %.private | somedb | someuser  | Y | Y | Y | Y | Y | Y | N | Y  | Y  | Y

DLS> So, I have an internal domain called private, those hosts are in an
DLS> internal DNS, and can be reverse resolved.  The only way I can manage to
DLS> connect to "somedb" as "someuser" is to put the fully qualified hostnames
DLS> in the /etc/hosts file, eg.:

DLS> 1.2.3.4 somehost.private

DLS> For some reason mysql is not "seeing" the DNS resolution.  Yes, DNS is 
DLS> really working as verified with nslookup for both forward and reverse 
DLS> records.

DLS> The version of mysqld I am running is:

DLS> /usr/libexec/mysqld  Ver 3.23.36 for redhat-linux-gnu on i386

DLS> Can someone provide some insight or suggestions?

Sure, there are some known problems with resolver on Linux.

First, you should not compile MySQL by yourself. Broken resolver is
one of the most common situations happening when MySQL is
wrong-compiled.

Second, there were a log of fixes to resolver part of MySQL since .36.

So you have to upgrade your server to MySQL 3.23.53 with MySQL
official binary release found at http://www.mysql.com/

That will help.



-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Egor Egorov
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
   <___/   www.mysql.com




-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Paul DuBois]

At 5:54 -0500 10/17/02, Terry & Cheryl Haimann wrote:

I was reading a book at B&N yesterday which left me with the 
impression that in MySQL you can do the following:

What book was this?



Define a group with specific security access.

Then define a list of users that inherit this groups security settings.

Is this correct?  If so, will this work under the Windows version?

Terry




-
Before posting, please check:
  http://www.mysql.com/manual.php   (the manual)
  http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Insanely Great]

I belive it will work in Windows

Insane
- Original Message -
From: "Terry & Cheryl Haimann" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 17, 2002 4:24 PM
Subject: Security


> I was reading a book at B&N yesterday which left me with the impression
that in MySQL you can do the following:
>
> Define a group with specific security access.
>
> Then define a list of users that inherit this groups security settings.
>
> Is this correct?  If so, will this work under the Windows version?
>
> Terry
>
>
>
> -
> Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: security problem

[Benjamin Pflugmann]

Hello.

On Wed 2002-10-02 at 09:49:30 -0400, [EMAIL PROTECTED] wrote:
> Hi! I found a security bug on mysqlgui-win32-static-1.7.5-2. When I
> install it on my desktop (win2k), I setup a password for the
> database.

What does "setup a password for the database" mean? Passwords are not
per-database with MySQL, but per user.

> However, if I install the mysqlgui on any machine in the local
> network, I could access the database on my desktop (from any machine
> on the local network) without the password.

Because the password will be required, if you set it up this way,
IMHO, there are two possibilities:

1. The configuration of the server is broken and does not require a
   password as you think it does.

2. The GUI sends the correct password, therefore must know the correct
   password, therefore has somehow access to it. Maybe you have a
   shared Home in the local network and the GUI saved the password
   there? Whatever.

Regarding 1., try to connect with a different client and see what
happens.

Regarding 2., if this is true, you may view the way in which the GUI
shared the password, whatever the details are, as insecure, and you
probably have a point. I guess it is quite simply to tell the GUI to
not save password between sessions. I don't know details, because I do
not use this GUI.

Regards,

Benjamin.

-- 
[EMAIL PROTECTED]

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security vulnerability

[Sergei Golubchik]

Hi!

On Oct 01, Plesk Support wrote:

> Any user in mysql can create as many databases as he wants.
> Create a user with 1 database, and let him create database with name
> "my_data_base". Log into mysql console as user and run command:
> 
> CREATE DATABASE "my?data?base";
> 
> New database will be created and user can create tables and use it as normal
> database. You can also create "my?data_base", "my_data?base", or try
> to use *,$, #, a-z, A-Z and other symbols instead of underlines "_" ...
> 
> I've just tried to log into MySQL console as usual non-privileged user with
> N,N,N,N... permissions in "mysql.user" and tried to create some base with
> another names -- no permissons error. However I COULD create 5 databases
> with names similar to "my_data_base"... I can operate them (as this 
> user) without
> problems. Seems like huge hole in our MySQL (or MySQL at all).

No, it is not.

As noted in the manual
("Access Control, Stage 2: Request Verification" section),
mysql.db and mysql.host tables accept
wildcards in Db and Host fields of either table.

We will add a note to GRANT section to make it more clear, thank you for
the hint.

Regards,
Sergei

-- 
MySQL Development Team
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
   <___/

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security: is 'root' truly neccessary?

[Paul DuBois]

At 16:53 -0700 9/24/02, Tom Emerson wrote:
>Being new to MySQL, it took a while to grok how "security" works.  Now that
>I have a bit of a better understanding, a mental "revalation" is coming to
>the surface of my mind: since "mysql" users are NOT unix/windows-domain
>"users", is the "root" user truly needed for a functional mysql environment?
>
>I do realize that there needs to be "some" user who essentially has all the
>grantable columns set to "Y" in the USER table, otherwise you could lose the
>ability to add or delete users, specify new databases, etc.  I'm thinking
>this "super user" could (should?) be identified by something such as "dba"
>or "admin" -- anything other than the name of "root".  This would avoid the
>[probable] security hole of using the "unix" password as the "mysql"
>password for the "root" user (something I suspect many people have done
>without realizing the implications) simply because there would be no "root"
>user.

The user name in the superuser accounts doesn't have to be named "root".
It could just as well be "powerless".

>
>I'm kind of guessing that one reason that the name "root" was chosen was
>because the command-line interface defaults the user name to your (unix)
>session name.  By pre-building a "root" user, the authors avoided the need
>to "teach" the use of the "-u" switch during the initial setup of mySql
>(which is good and bad: good because it is "one less thing" for a new mysql
>admin to have to learn, bad because new admins haven't even been introduced
>to the security system, so they are likely to use their actual "root"
>password because they haven't yet been informed that mysql-users <>
>unix-users...)


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security problem

[Victoria Reznichenko]

Daniel's,
Friday, August 30, 2002, 3:11:17 AM, you wrote:

DsL> *This message was transferred with a trial version of CommuniGate(tm) Pro*
DsL> I installed Mac OS X 10.2 this last weekend and since then I've been 
DsL> having some problems with the security on the MySQL files.  I thought 
DsL> that I had everything fixed, but now when my web users try and update 
DsL> or insert a record in one of my files, it doesn't actually update 
DsL> anything.  I've checked the mysql.log and mysql.err and there isn't any 
DsL> kind of error listed.   Selects work just fine.

Daniel, what version of MySQL do you use?
Did users get any error when they insert or update record? Or they
can't see new/updated record with SELECT statement?
Could you provide an example of failed query?




-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Victoria Reznichenko
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
   <___/   www.mysql.com




-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security question

[Victoria Reznichenko]

Mike,
Thursday, August 15, 2002, 12:45:06 AM, you wrote:

MH> Hi there,
MH> I posted this a few days ago and recieved no responses, so I thought I would
MH> post it again:

Mike, I answered you yesterday.

MH> Hi All;

MH> I am working on a front end to my database, but I am running into a bit of
MH> trouble. I have a user who has the proper privileges and grant option create
MH> other users, but I need to know this: can that user delete users he has
MH> created (or at least disable them), and can users change their own
MH> passwords? This is all being done for a VB front end, so I need to be able
MH> to do these things using SQL statements. Any help would be appreciated.

To create other users you must have UPDATE privilege on database
'mysql' and GRANT_priv. To delete users you must have DELETE_priv and
SELECT_priv (to use DELETE with WHERE clause) on the database 'mysql'.
But in this case user can delete any user from database 'mysql' not
only users that you created.

User can change his password just using mysqladmin

mysqladmin -u -p password 'new_password'

or SET statement:
  http://www.mysql.com/doc/en/Passwords.html




-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Victoria Reznichenko
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
   <___/   www.mysql.com




-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: security

[Benjamin Pflugmann]

Hi.

On Fri 2002-07-26 at 15:24:58 -0300, [EMAIL PROTECTED] wrote:
>
> Why should I close port 3306 used by mysql? What would happen if a
> hacker use this port?

You should close it (as far as reasonable only, of course), simply,
because you lose nothing, but gain an additional layer a malicious
hacker has to overcome.

Where closing can mean to use --skip-networking, if you have only
local accesses, use a firewall to restrict connections to the local
net, or allow only some computers from the internet - depending on
your needs.

It is a general security measure to disallow anything which is not
explicitly needed, as far as the effort is reasonable regarding the
needs. It is irrelvant if there are known attack vectors or not.

That said, AFAICT, there are no known MySQL relevant weeknesses having
the port open. Of course, you get your usual share of risks, like weak
passwords, potential DoS, information leaking and so on, which have
nothing to do with MySQL per se.

Greetings,

Benjamin.

-- 
[EMAIL PROTECTED]

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: security

[Dicky Wahyu Purnomo]

Pada Fri, 26 Jul 2002 15:24:58 -0300
Anderson Pereira Ataides <[EMAIL PROTECTED]> menulis :

> Why should I close port 3306 used by mysql? What would happen if a hacker use 
> this port?

Hemmm ... if you close the port 3306, so where do you put the mysqld to LISTEN on ?

Well, if you considering the security ... you should implement a "good" mysql 
privileges.

For example, if you running mysql and only be accessed locally / localhost client. You 
should never had a grant access for a user which came from hosts beside "localhost".

So even you just telnet port 3306 from other computer, the connection will be refused 
:D

-- 
Let's call it an accidental feature.
-- Larry Wall
 
MySQL 3.23.51 : up 35 days, Queries : 355.724 per second (avg).

--
Dicky Wahyu Purnomo - System Administrator
PT FIRSTWAP : Jl Kapt. Tendean No. 34 - Jakarta Selatan (12790)
Phone : +62 21 79199577 - Web : http://1rstwap.com


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: security

[Paul DuBois]

At 15:24 -0300 7/26/02, Anderson Pereira Ataides wrote:
>Why should I close port 3306 used by mysql? What would happen if a hacker use
>this port?

You may want to close it at your firewall, if you want to allow the server
to be used only by machines on the local side of the firewall.  That will
prevent anyone of the non-local side from connecting to the server and
possibly gaining access to your databases.

>
>Anderson Pereira Ataides


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: security paranoia

[Tonu Samuel]

On Tue, 11 Jun 2002, MikeParton wrote:

> Where in the MySQL docs does it discuss  DES_ENCRYPT/DES_DECRYPT  support?
>
> Alternatively (and I am posting this to the php lists), anyone know where,
> or if, I can get pre-compiled libmcrypt library for php 4.2.1?

http://www.mysql.com/doc/M/i/Miscellaneous_functions.htmlin the middle of
page you cane find documentation about it.


I do not know is there is a ready libray fo PHP but it is technically very
easy to load any .so library into PHP and use it from Linux. So if you
konw library you need then probably you can use them with dlopen() or
whatever this function name was.


   Tonu


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: security paranoia

[MikeParton]

Where in the MySQL docs does it discuss  DES_ENCRYPT/DES_DECRYPT  support?

Alternatively (and I am posting this to the php lists), anyone know where,
or if, I can get pre-compiled libmcrypt library for php 4.2.1?

TIA
- Original Message -
From: "Tonu Samuel" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 11, 2002 4:16 PM
Subject: Re: security paranoia


>
>
> On Tue, 11 Jun 2002, Ray wrote:
>
> > looking for something like
> > encrypt(str, protected_str)
> > and
> > decrypt (crypt_str, private_str)
> > and probably a make_key_pair()
> >
> > its not a vital part of my current project, but i'm sure someone will
get
> > cracked into (again) and then there will be another wave of secerity
scares.
> > (which again will die when they find out it was something silly like the
> > employee who they where firing at the end of the week was the 'hacker')
> >
> > also, i can't seem to find much documentation on using ssl/x509 with
mysql,
> > anyone know of any good sites for this information?
>
> ENCRYPT/DERYPT are bad functions as they use some homemade algorithm.
> Can't suggest using it. Use DES_ENCRYPT/DES_DECRYPT instead. And this is
> the best what MySQL has at moment. These functions use 3DES symmetric
> algorithm encryption, so this is maybe not what you search for. But there
> is nothing else not counting MD5() hash function.
>
> MySQL supports SSL and X509 but for client-server connections. Any
> documentation you find describes related items.
> If you can provide exact idea what you want and sponsor this project I can
write
> patch for MySQL adding new functions which support asymmetric encryption
> as you asked. But currently they won't exist there.
>
>   Tonu
>
>
> -
> Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: security paranoia

[Tonu Samuel]

On Tue, 11 Jun 2002, Ray wrote:

> looking for something like
> encrypt(str, protected_str)
> and
> decrypt (crypt_str, private_str)
> and probably a make_key_pair()
>
> its not a vital part of my current project, but i'm sure someone will get
> cracked into (again) and then there will be another wave of secerity scares.
> (which again will die when they find out it was something silly like the
> employee who they where firing at the end of the week was the 'hacker')
>
> also, i can't seem to find much documentation on using ssl/x509 with mysql,
> anyone know of any good sites for this information?

ENCRYPT/DERYPT are bad functions as they use some homemade algorithm.
Can't suggest using it. Use DES_ENCRYPT/DES_DECRYPT instead. And this is
the best what MySQL has at moment. These functions use 3DES symmetric
algorithm encryption, so this is maybe not what you search for. But there
is nothing else not counting MD5() hash function.

MySQL supports SSL and X509 but for client-server connections. Any
documentation you find describes related items.
If you can provide exact idea what you want and sponsor this project I can write
patch for MySQL adding new functions which support asymmetric encryption
as you asked. But currently they won't exist there.

  Tonu


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Scalper]

Since you are using a hosted database you probably can't change any of the 
security.  What I would do is create a table of usernames and passwords 
(and any other releveant user data).  When your users login, check their 
password and proceed accordingly.

Craig

At 02:44 AM 4/8/2002, you wrote:
>Hi
>
>
>Still fairly new to this and I'm using mysql-front for administration which
>makes life really easy. Anyway as I'm now adding tables etc should I be
>creating a new user to access them, I'm thinking of the web users, or can I
>use the default user set-up by my ISP
>
>
>Regards
>
>
>John Berman
>[EMAIL PROTECTED]
>
>
>-
>Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
>
>To request this thread, e-mail <[EMAIL PROTECTED]>
>To unsubscribe, e-mail <[EMAIL PROTECTED]>
>Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Van]

John:

Since you host your application(s) with your ISP, don't worry about it.  It's a
useful and valid question, but you're not in a position to address it completely
while security is in control of someone beside yourself.

Look here to make yourself better educated about MySQL security:
http://www.mysql.com/doc/G/e/General_security.html

Simply stated:  If the host that has your data is not in a room/building that
you have control over (i.e.:  you have the keys), you can't have security.  But,
the above link will give you some logical security practices, regardless.

Regards,
Van
-- 
=
Linux rocks!!!   http://www.dedserius.com/
=
John Berman wrote:
> 
> Hi
> 
> Still fairly new to this and I'm using mysql-front for administration which
> makes life really easy. Anyway as I'm now adding tables etc should I be
> creating a new user to access them, I'm thinking of the web users, or can I
> use the default user set-up by my ISP
> 
> Regards
> 
> John Berman
> [EMAIL PROTECTED]

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: [SECURITY] How do these blank passwords get into mysql.user?

[Alexander Skwar]

»Philip Mak« sagte am 2002-02-19 um 10:25:38 -0500 :
> One thing's been bothering me for a while: When I create a user and
> database in MySQL, the user always ends up with an extra entry with
> host='%' and password=''. How is this happening? This is how I create
> a new database and user:
> 
> mysql> create database xxx;
> Query OK, 1 row affected (0.01 sec)
> 
> mysql> insert into user set host='localhost', user='xxx', password=password('yyy');

Here you set that the user "xxx" has the password yyy.

> mysql> grant all privileges on xxx.* to xxx;

Here you insert another user but don't set a password!

BTW:  You don't have to insert the user manually.  If you try to GRANT
access to a non existing user, the user will be silently created.

Alexander Skwar
-- 
How to quote:   http://learn.to/quote (german) http://quote.6x.to (english)
Homepage:   http://www.iso-top.de  | Jabber: [EMAIL PROTECTED]
   iso-top.de - Die günstige Art an Linux Distributionen zu kommen
   Uptime: 6 days 9 hours 56 minutes

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: [SECURITY] How do these blank passwords get into mysql.user?

[Philip Mak]

On Tue, Feb 19, 2002 at 04:39:10PM +0100, Peter Banik wrote:
> you should explicitly specify host/password in the GRANT statement, like
> this:
> 
> GRANT ALL ON xxx.* TO user@'localhost' IDENTIFIED BY 'password';
> FLUSH PRIVILEGES;
> 
> This way the user will only granted access from the specified host, you
> don't need to manually INSERT into the user table.  (You'll also get rid
> of the empty passwords.)

Hmm, I just ran another experiment:

mysql> create database xxx;
Query OK, 1 row affected (0.00 sec)

mysql> grant all on xxx to xxx;
Query OK, 0 rows affected (0.00 sec)

mysql> select host,user,password from user where user='xxx';
+--+--+--+
| host | user | password |
+--+--+--+
| %| xxx  |  |
+--+--+--+
1 row in set (0.00 sec)

So if I execute a GRANT statement without specifying a password, and
MySQL decides that it needs to create a new user for this (host,user)
pair, then it will create it with blank password!

This seems to be insecure default behavior to me. I wonder if it would
be better to change MySQL such that it will not create a user with
blank password like this unless "IDENTIFIED BY ''" is explicitly
specified?

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: [SECURITY] How do these blank passwords get into mysql.user?

[Peter Banik]

Philip,

you should explicitly specify host/password in the GRANT statement, like
this:

GRANT ALL ON xxx.* TO user@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;

This way the user will only granted access from the specified host, you
don't need to manually INSERT into the user table.  (You'll also get rid
of the empty passwords.)

Peter

On Tue, 19 Feb 2002, Philip Mak wrote:

> One thing's been bothering me for a while: When I create a user and
> database in MySQL, the user always ends up with an extra entry with
> host='%' and password=''. How is this happening? This is how I create
> a new database and user:
>
> mysql> create database xxx;
> Query OK, 1 row affected (0.01 sec)
>
> mysql> insert into user set host='localhost', user='xxx', password=password('yyy');
> Query OK, 1 row affected (0.03 sec)
>
> mysql> flush privileges;
> Query OK, 0 rows affected (0.00 sec)
>
> mysql> grant all privileges on xxx to xxx;
> Query OK, 0 rows affected (0.03 sec)
>
> mysql> grant all privileges on xxx.* to xxx;
> Query OK, 0 rows affected (0.00 sec)
>
> mysql> flush privileges;
> Query OK, 0 rows affected (0.00 sec)
>
> mysql> select host,user,password from user where user='xxx';
> +---+--+--+
> | host  | user | password |
> +---+--+--+
> | % | xxx  |  |
> | localhost | xxx  | 66debff13dff1053 |
> +---+--+--+
> 2 rows in set (0.00 sec)
>
> What did I do wrong to cause these users with blank passwords to be
> created (essentially opening me wide to the outside)? My MySQL version
> is 3.23.47. It's worked fine after I delete the extra row in the user
> table manually, but this could be dangerous to someone who doesn't
> notice it!
>

-- 
GPG ID  D40940EC
FPR 89CC E331 FFD0 3138 9CB2  FE0D 122E 9EC9 D409 40EC



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: Security concerns on webserver with PHP & InnoDB

[Peter Lovatt]

> -Original Message-
> From: BD [mailto:[EMAIL PROTECTED]]
> Sent: 18 February 2002 21:31
> To: [EMAIL PROTECTED]
> Subject: Security concerns on webserver with PHP & InnoDB
>
>
> I'm creating a web application with MySQL, PHP, InnoDB and I need to know
> whether I should split the one large table into 3 different tables with
> different user privileges defined on each table.
>
> As it stands now, the user logs in by entering a username & pw
> and this is
> checked against a membership table. If it is found, the PHP script grants
> him access to certain PHP forms that allows him to insert rows to the
> NewTable, browse the PublicTable, and delete/insert/update rows from the
> PrivateTable. The actual MySQL username/pw for the database is
> stored in an
> include file which the PHP script loads when generating the page. So
> currently everyone is using the same MySQL username/pw and the PHP script
> controls access to the various forms depending on the security level the
> person has in the membership table.
>
> The data I'm concerned about is stored in 1 large table (up to 1 million
> rows) and there is a rcd_type field to indicate whether the record is
> Public, Private, New.  I currently only have 1 MySQL web related user
> defined and it has Select, Insert, Update, Delete privileges to
> this table.
> The PHP script creates an SQL statement with the rcd_type field set to
> filter the records so he can only see, insert, update records of
> that type.
> Access to the tables are controlled through the PHP scripts.
>
> Here's are the questions.
> 1) Security Question
> Should I split up the large table into 3 tables and assign these
> privileges
> to them: PublicTable (ReadOnly), PrivateTable (read/write/delete) and
> NewTable (Insert). I'm concerned that even though the single username/pw
> I'm using now is hidden from the user and the user has no way to
> update the
> SQL statements that accesses the tables, is it really necessary
> to further
> restrict access to prevent the user somehow updating or deleting rows in
> the Public table? In other words, has anyone had their PHP website
> compromised by someone finding a backdoor into the database by
> circumventing their PHP scripts?

Be afraid, be very afraid.

Even if you are not paranoid they probably ARE out to get you :)

Seriously, depends to some degree how much risk you want to/can afford to
carry. You need to balance this against the extra work.

Users are often the weakest link. Odds on some user will use 'john' and
'john' as username and password, or something similar. If John has delete
privilages, and some script kiddie feels like trying their luck, then
disaster could be close.

If you want to be secure,  I would suggest the following :-

1.  MySql access only by localhost
2.  If you are on shared hosting make sure php is in safe mode (I think that
is the correct term, I am not an expert). If it is not, other php users on
the host can view your config files.
3.  Pass only a (complex) sessionID as identity and relate this to userID
using php/mysql internally. If userid (the value the system uses to identify
the user ) is passed then it may be spoofable.
4.  Don't give anybody else an account on the server itself, this is the most
likely source of a backdoor attack.
5.  User login by SSL connection - avoids sniffers picking up usernames and
passwords
6.  Generate secure passwords for the users, rather than letting them set
their own
7.  Lock users out after 3 failed loggins
8.  Put a short time out on the session
9.  Verify that the user is allowed to execute the sql that they are
executing before you execute it
10. Screen user input for illegal characters. php4 backslashes
automatically, though this can be disabled, php3 does not. This could allow
the user to add a ';' and then another sql statement on their text.
11. Don't echo errors - it can reveal table and field names which helps a
hacker.
12. Use unusual table and field names 'Users' and 'username' and 'password'
are guessable table and field names, 'X_1_users' is harder.
13. Encrypt passwords stored in the database - if you do have a break in it
limits damage, otherwise all password would have to be reset.

You may have already done all this, but thought i'd list them anyway.


>
> 2) Speed Question
> Now if I were using MyISAM tables then I'd be forced to split it
> up into 3
> tables because the table locks would hamper the read requests of
> the Public
> rows. But I'm using InnoDb so is there any speed advantage in producing 3
> different tables? Using 3 tables will of course mean more work
> because I'll
> need to manipulate the PHP code to generate the different login
> username/pw
> and also alter the table name in the sql statement for the 3 tables based
> on the type of user. (The 3 tables will of course have the same structure
> and I can probably get away with reusing the same PHP Update form for the
> Priv

Re: Security hole in mysqlhotcopy?

[Bogdan Stancescu]

Ooops! Sorry, I tested it and it doesn't work! Sorry for misleading you... ;-)

Bogdan

Bogdan Stancescu wrote:

> mysqlhotcopy -uroot -p test .
>
> Philip Mak wrote:
>
> > On Sun, 30 Dec 2001, Bogdan Stancescu wrote:
> >
> > > You can usually try providing an empty -p parameter and be asked for the
> > > password afterwards.
> >
> > Doesn't seem to work:
> >


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security hole in mysqlhotcopy?

[Bogdan Stancescu]

mysqlhotcopy -uroot -p test .

Philip Mak wrote:

> On Sun, 30 Dec 2001, Bogdan Stancescu wrote:
>
> > You can usually try providing an empty -p parameter and be asked for the
> > password afterwards.
>
> Doesn't seem to work:
>
> [mysql@lina mysql]$ mysqlhotcopy -u root -p "" test .
> DBI->connect(;host=localhost;mysql_read_default_group=mysqlhotcopy)
> failed: Access denied for user: 'root@localhost' (Using password: NO) at
> /usr/local/mysql/bin/mysqlhotcopy line 161
> [mysql@lina mysql]$ mysqlhotcopy -u root -p test .
> DBI->connect(;host=localhost;mysql_read_default_group=mysqlhotcopy)
> failed: Access denied for user: 'root@localhost' (Using password: YES) at
> /usr/local/mysql/bin/mysqlhotcopy line 161
>
> -
> Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security hole in mysqlhotcopy?

[Philip Mak]

On Sun, 30 Dec 2001, Bogdan Stancescu wrote:

> You can usually try providing an empty -p parameter and be asked for the
> password afterwards.

Doesn't seem to work:

[mysql@lina mysql]$ mysqlhotcopy -u root -p "" test .
DBI->connect(;host=localhost;mysql_read_default_group=mysqlhotcopy)
failed: Access denied for user: 'root@localhost' (Using password: NO) at
/usr/local/mysql/bin/mysqlhotcopy line 161
[mysql@lina mysql]$ mysqlhotcopy -u root -p test .
DBI->connect(;host=localhost;mysql_read_default_group=mysqlhotcopy)
failed: Access denied for user: 'root@localhost' (Using password: YES) at
/usr/local/mysql/bin/mysqlhotcopy line 161


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security hole in mysqlhotcopy?

[Bogdan Stancescu]

You can usually try providing an empty -p parameter and be asked for the
password afterwards.

Bogdan

Philip Mak wrote:

> As far as I can tell, mysqlhotcopy does not provide a way of specifying
> the password anywhere other than the command line (e.g. it doesn't seem
> to read .my.cnf).


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security problem in Access database

[Carl Troein]

Jack writes:

> 1. What should i do if i want to limit the user which can only edit the
> record belongs to him/her. i mean user can only update to his own record but
> not the others!!

This sort of security is best handled at the application level. If
you don't want your users to access the database directly, only
relying on the database's user system is usually not a good and/or
feasible solution.

> 2. Is there anyway that the PHP can pass the Windows Domain Username and
> password to Mysql's User table?

Well, if you can get them from somewhere I'm sure it wouldn't be
too hard to add users to MySQL. The question is just how you would
get them. Even Windows doesn't store its passwords in plaintext, so
you'd have to either a) obtain the passwords from elsewhere, in which
case you could just as well get the usernames from elsewhere too, or
b) crack the users' passswords, and if you can do that that easily
you could just as well not use passwords at all.

I guess the real solution would be to modify MySQL to use a Windows
box to authenticate its users. I'm not sure what's been going on
with Kerberos and stuff like that lately, but it ought to be possible
to add this feature to MySQL. Unless you can pay someone to do it,
I guess you'd have to do it yourself, though.

> 3.I had made a login page for the user, but when the user input the password
> which i assigned to her, it prompts incorrect password then later on i found
> out that the user table's password field had encryted . So what can i do if
> i want to make a login page to user which the password will be able to match
> the password in Mysql.User table.

See 1.

//C - hungry

-- 
 Carl Troein - Círdan / Istari-PixelMagic - UIN 16353280
 [EMAIL PROTECTED] | http://pixelmagic.dyndns.org/~cirdan/
 Amiga user since '89, and damned proud of it too.


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security using ODBC

[Sommai Fongnamthip]

try driver vbmysql.dll at www.icarz.com/mysql/index.html

SF

At 16:00 24/8/2001 +0800, Jason Kwok wrote:
>Hi,
>
> I want to write a program with VB in win98 box and connect to mySQL in
>Linux. I think the only way to do is to connect thru ODBC with myODBC. But
>with using ODBC, all ID & password is given when setting up the DSN. And
>this means everyone using this computer could access the mySQL server with
>the given right! And this also means I couldn't use my program to control
>the security of mySQL.
>
> I don't think this is true! But please tell me what should I do to avoid
>this, or what have I missed?
>
>==
>
>Best Regards
>Jason Kwok
>==
>
>
>
>---
>Virus Free
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.273 / Virus Database: 143 - Release Date: 2001/8/16
>
>
>-
>Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
>
>To request this thread, e-mail <[EMAIL PROTECTED]>
>To unsubscribe, e-mail 
><[EMAIL PROTECTED]>
>Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security problem with 3.23.38

[Michael Widenius]

Hi!

> "Sinisa" == Sinisa Milivojevic <[EMAIL PROTECTED]> writes:

Sinisa> Robert Cross writes:
>> 
>> I've got a wierd problem with 3.23.38, built from source, running on RedHat
>> v6.2 (Intel). Put simply the wildcard character for user access doesn't
>> work. From my reading of the docs any of the following:
>> 
>> grant all on mtdb.* to user1 identified by "bozo1";
>> grant all on mtdb.* to user2@"%" identified by "bozo2";
>> 
>> should allow the specified users access to the mtdb database from any host
>> (assuming that they can input the password correctly!).
>> 
>> Well - it doesn't work. Unless I GRANT for each user on each system that
>> they are likely to use they can't get in and get error 1045 - access
>> denied.
>> 
>> Am I doing something terminally stupid, is there something wrong with my
>> build, or is it a bug?
>> 
>> Ta
>> 
>> Bob Cross.

Sinisa> Hi!

Sinisa> Try first granting USAGE on *.* to both users with 'identified by ...'
Sinisa> and then try granting database rights. 

grant all on mtdb.* to user2@"%" identified by "bozo2";

Should be enough to give the user full access to the mtdb database, if
there is no user2 entry that is more specific for the user/host
combination.

Roger, what error do you get when you try to connect as user2 ?
The error message itself should tell us exactly what is wrong.
(This is documented in the 'Access denied' section of the MySQL manual)

Regards,
Monty



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security problem with 3.23.38

[Sinisa Milivojevic]

Robert Cross writes:
> 
> 
> I wrote:
> >Try first granting USAGE on *.* to both users with 'identified by ...'
> >and then try granting database rights.
> 
> Thanks Sinisa, that works perfectly. I've now got a wonderful small and
> fast database
> that I can let the users into!
> 
> Bob Cross.

You are welcome.

-- 
Regards,
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Mr. Sinisa Milivojevic <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__   MySQL AB, FullTime Developer
/_/  /_/\_, /___/\___\_\___/   Larnaca, Cyprus
   <___/   www.mysql.com

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security problem with 3.23.38

[Robert Cross]

I wrote:
>> I've got a wierd problem with 3.23.38, built from source, running on
RedHat
>> v6.2 (Intel). Put simply the wildcard character for user access doesn't
>> work. From my reading of the docs any of the following:
>>  grant all on mtdb.* to user1 identified by "bozo1";
>>  grant all on mtdb.* to user2@"%" identified by "bozo2";
>> should allow the specified users access to the mtdb database from any
host
>> (assuming that they can input the password correctly!).
>> Well - it doesn't work. Unless I GRANT for each user on each system that
>> they are likely to use they can't get in and get error 1045 - access
>> denied.
Mr. Sinisa Milivojevic replied:
>Try first granting USAGE on *.* to both users with 'identified by ...'
>and then try granting database rights.

Thanks Sinisa, that works perfectly. I've now got a wonderful small and
fast database
that I can let the users into!

Bob Cross.



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
This message is confidential.  It may also be privileged or
protected by other legal rules.  It does not constitute an
offer or acceptance of an offer, nor shall it form any part
of a legally binding contract.  If you have received this
communication in error, please let us know by reply then
destroy it.  You should not use, print, copy the message or
disclose its contents to anyone.

E-mail is subject to possible data corruption, is not
secure, and its content does not necessarily represent the
opinion of this Company.  No representation or warranty is
made as to the accuracy or completeness of the information
and no liability can be accepted for any loss arising from
its use.

This e-mail and any attachments are not guaranteed to be
free from so-called computer viruses and it is recommended
that you check for such viruses before down-loading it to
your computer equipment.  This Company has no control over
other websites to which there may be hypertext links and no
liability can be accepted in relation to those sites.

Scottish & Newcastle plc
Registered in Scotland, Registered Number 16288
Registered Office: 33, Ellersly Road, Edinburgh, EH12 6HX
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security problem with 3.23.38

[Sinisa Milivojevic]

Robert Cross writes:
> 
> I've got a wierd problem with 3.23.38, built from source, running on RedHat
> v6.2 (Intel). Put simply the wildcard character for user access doesn't
> work. From my reading of the docs any of the following:
> 
>  grant all on mtdb.* to user1 identified by "bozo1";
>  grant all on mtdb.* to user2@"%" identified by "bozo2";
> 
> should allow the specified users access to the mtdb database from any host
> (assuming that they can input the password correctly!).
> 
> Well - it doesn't work. Unless I GRANT for each user on each system that
> they are likely to use they can't get in and get error 1045 - access
> denied.
> 
> Am I doing something terminally stupid, is there something wrong with my
> build, or is it a bug?
> 
> Ta
> 
> Bob Cross.

Hi!

Try first granting USAGE on *.* to both users with 'identified by ...'
and then try granting database rights. 


-- 
Regards,
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Mr. Sinisa Milivojevic <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__   MySQL AB, FullTime Developer
/_/  /_/\_, /___/\___\_\___/   Larnaca, Cyprus
   <___/   www.mysql.com

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: Security problems - Very Newbie!

[Chris Bolt]

> C:\>mysql grant all on *.* to administrator@sara identified by "delboy"

Try this:

C:\>mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 463668 to server version: 3.23.39-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> grant all on *.* to administrator@sara identified by "delboy";
Query OK, 0 rows affected (0.01 sec)


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Michael Tam]

Hi Mark,

Thanks for the suggestion.  I do realize it is better using linux
instead; however, my questions are with my setup and OS which I am currently
using, how do I go to tide up the security a bit.

Best regards,
Michael

- Original Message -
From: "md" <[EMAIL PROTECTED]>
To: "Michael Tam" <[EMAIL PROTECTED]>
Sent: Tuesday, July 10, 2001 12:00 PM
Subject: Re: Security


> Your first security problem is using Microsoft NT/2000.  Switch to linux
> 2.2.18/+ as a solution.
>
> Mark
>
> Michael Tam wrote:
> >
> > Hi all,
> >
> > This may not directly related to the topic but I think people in
this list may able to give me some ideas.
> >
> > I am not really kean of security issue and would like to ask the
following questions:
> >
> > I have 2 win2k pcs one directly connected to internet (say PC A) and
PC B is connected with PC A as localnet work. Then, I have webserver and DSN
to MySQL on PC A and MySQL on PC B.
> >
> > 1) If MySQL is bind to localhost only ( i.e. default setup with root
account and my new password ), then would it be secure enough since the only
access point is from PC A???
> >
> > 2) Any pre-caution I should take in order to prevent illegal access
to MySQL through PC A ??
> >
> > Thank you very much.
> >
> > Best regards,
> > Michael
>

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Benjamin Pflugmann]

Hello.

On Wed, Jun 20, 2001 at 12:36:28PM +0100, [EMAIL PROTECTED] wrote:
> Hi folks,
> 
> How come I can access databases on my server using an illegal username and
> password combination with the MySQL GUI? The username and password are valid
> on the server but should only work on localhost and I am on a remote
> machine.

It shouldn't be possible. Without further information, two
possibilities come to my mind:

- The server allows access for the user@host you are connecting with,
  so either
  + you use another username as you think you are using
( you can check this with SELECT USER() )
  + the server allows remote connections for that username
( check the ACL's you have installed )

- You use something like ssh-tunneling to connect to your server and
  therefore the connection seems to come from the server (the end of
  the tunnel).

Bye,

Benjamin.


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security, ownership and daemon startup

[William Goedicke]

Dear Y'all - 

Paul DuBois writes:

 > At 9:53 AM -0400 5/9/01, Brian Cuttler wrote:
 > >
 > >The developers that want to use the database would like ownership
 > >of the files and daemon so that they can modify and restart at will.
 > 
 > Tell them to pick one of their accounts to be used for running the server.

You should also look into a security utility called "sudo"
http://www.courtesan.com/sudo/.  It allows you to provide and revoke
additional authorizations to particular users and to log their
activities when using those extra privileges.  This allows you to
leave the mysql stuff under the ownership of a non-user account and
manage all the access business rules via the sudo config file.

This worked great for me; I hope it helps you.

 Yours -  Billy

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security, ownership and daemon startup

[Paul DuBois]

At 9:53 AM -0400 5/9/01, Brian Cuttler wrote:
>Hello,
>
>We are installing MySQL 3.22.21 as pre-built for IRIX, installing
>on IRIX 6.5.7m.
>
>The developers that want to use the database would like ownership
>of the files and daemon so that they can modify and restart at will.

Tell them to pick one of their accounts to be used for running the server.


>
>I need to know if its safe to open access and if so, which files
>should (an individual or group) be given.

It will be as safe as any other program that one of these individuals
runs.  Since you're installing a pre-built distribution, change the
ownership of all the files in that distribution to the account that
will be used to run the server.

>
>By same I'm meaning from the system point of view, I would like to
>warn the developers of any problems they may run into at the development
>level but can't take responsibility for those issues if they do
>request control after being warned.

That's a bit hard to parse, but if I understand you correctly, they
shouldn't have any particular problems as long as they understand what's
involved in adminstering a MySQL installation.

>
>So, can I turn over ownership safely ? Which files ?

See above.

>
>   thanks in advance,
>
>   Brian
>---
>Brian R Cuttler [EMAIL PROTECTED]
>Computer Systems Support(v) 518 486-1697
>Wadsworth Center(f) 518 473-6384
>NYS Department of HealthHelp Desk 518 473-0773


-- 
Paul DuBois, [EMAIL PROTECTED]

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Lindsay Adams]

On 4/9/01 10:12 AM, "Burke Patrick" <[EMAIL PROTECTED]> wrote:

> Hi Lindsay,
> 
> maybe you can help me?
> 
> I am trying to give a user SELECT access to just one table in my database.
> If I don't give him SELECT privileges in the mysql.user table or mysql.db
> table, he cannot even login to the database. - Well he can when I do a
> GRANT USAGE statement.
> 
> If I give him SELECT privileges in the user table or the db table, he can
> SELECT from all tables in my database.
> 
> How can I get around this?
> 
> regards
> Patrick
> 

Okay, to grant select on one table in one database, use the following

GRANT select ON database.table TO 'username@host' IDENTIFIED BY 'password'

So, if you only want to grant select access to  user joeblow on the clothing
table in a merchandise database, and you want that user to be able to log in
from ANY computer in the world, then you have:

GRANT select ON merchandise.clothing to 'joeblow@%' IDENTIFIED BY 'password'

The database.table section uses * as the wildcard,
So to grant select on all tables in one database, you would use:
GRANT select ON merchandise.* to...

To grant select on ALL databases use:
Grant select on *.* to...

The user@host section uses % as a wildcard.

So to grant a specific user, connecting from any machine in a certain
domain:
user@%.domain.com

Or, anyone on a .net domain: user@%.net

Or anyone on the private subnet 192.168.10:
[EMAIL PROTECTED]%

Or any user at any domain %@%

Then of course, you can expand the GRANt statement to include column level
privs.
>From the online manual: http://www.mysql.com/doc/G/R/GRANT.html


GRANT priv_type [(column_list)] [, priv_type [(column_list)] ...]
ON {tbl_name | * | *.* | db_name.*}
TO user_name [IDENTIFIED BY 'password']
[, user_name [IDENTIFIED BY 'password'] ...]
[WITH GRANT OPTION]

The problem with using inserts and updates on the mysql databse, is you
might put something in the wrong place,and open your security up and not
even realize it.

For restrictive access, use grant, because you will get it right quicker.
To allow only table level access, then ALL privs in the user table should be
'N'

You really have to read up and understand how mysql 'falls' through the
security tables.

By setting something to Y in the user table, that means that that user has
global right to do that priv on all databases and tables. MySQL stops right
there and says, okay, you are allowed. If it sees an 'N', then it checks
other tables.

Read the security chapter in the books multiple times. Over and over, and it
will start to sink in.



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Van]

"Ashley M. Kirchner" wrote:
> 
> Okay, I'm about to rip my hair out trying to figure this out, and I
> thought before I start looking for a gun, maybe I should ask..
> 
> I need someone to explain the 'mysql' database to me.  I've tried
> reading about it, tried different settings, but I'm lost.  So far I've
> just been adding users and db's to the 'db' and 'user' tables, but
> something tells me that's not all there is to it.
> 
> What are the other tables for?  And how's about adding a user that
> can only access (and change) their DB (assigned by me), and/or adding a
> (different) user that can create their own DB(s), yet not muck with
> anything else on the entire (mysql) system (and screw up other users).
> 
> I'm willing to entertain even more literature if that's easiest to
> point me to, but like I said, I've gone through the online docs, I've
> checked other resources online, and I'm still lost.
> 
> AMK4
> 
Ashley:

mysqladmin create database phil;

INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Update_priv,
Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,
File_priv, Grant_priv, References_priv, Index_priv, Alter_priv) VALUES
('localhost', 'phil', PASSWORD('password'), 'n', 'n', 'n', 'n', 'n', 'n', 'n',
'n', 'n', 'n', 'n', 'n', 'n', 'n')

INSERT INTO db (Host, Db, User, Select_priv,
Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Grant_priv,
References_priv, Index_priv, Alter_priv) VALUES ('localhost', 'phil', 'phil',
'y', 'y', 'y', 'y', 'y', 'y', 'n', 'y', 'y', 'y')

mysqladmin reload.

Of course you can use the grant command, too, but, this works better for me. 
Note that the db privs doesn't not give this user (Phil) grant privs.

Regards,
Van
-- 
=
Linux rocks!!!   http://www.dedserius.com
=

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Steve Brazill]

There's some good documentation (a lot of it in the form of 'warnings') on
security aspects of the "mysql" database.


http://mysql.com/documentation/mysql/bychapter/manual_Privilege_system.html#Privilege_system

But, here's some quick notes:
Anyone who has 'modify' permissions to the "mysql" database can modify
ANYTHING in it (and grant the same ability to anyone else).

I use different usernames for different databases (excluding the "mysql" one)
to ensure that each user only has access to the database the username appears
for (in the "db" table).

User "yubbyuser" has an entry in "db" only for "yubbydb" database.
User "dubbyuser" has an entry in "db" only for "dubbydb" database.

If you want to do the same for the "mysql" database,  you might have to have
multiple "instances" of MySQL running.  With each 'instance' controlling a
different 'user' (or project) database,  allowing you to enable the user in
each 'instance' to have access to the "mysql" database,  which keeps them out
of the other 'instances' (and the other "mysql" databases).   Make sure that
the passwords for "root" and other users are different in each 'instance'...

I haven't made use of the "host" or "columns_priv" tables yet,  but am using
"tables_priv" to give additional "create" and "drop" access to 'temporary'
tables to the 'web user' (which, if they didn't have it, can't create
temporary tables) only for those files (and not the ability to 'drop' every
table in the database).

Good Luck...

"Ashley M. Kirchner" wrote:

> Okay, I'm about to rip my hair out trying to figure this out, and I
> thought before I start looking for a gun, maybe I should ask..
>
> I need someone to explain the 'mysql' database to me.  I've tried
> reading about it, tried different settings, but I'm lost.  So far I've
> just been adding users and db's to the 'db' and 'user' tables, but
> something tells me that's not all there is to it.
>
> What are the other tables for?  And how's about adding a user that
> can only access (and change) their DB (assigned by me), and/or adding a
> (different) user that can create their own DB(s), yet not muck with
> anything else on the entire (mysql) system (and screw up other users).
>
> I'm willing to entertain even more literature if that's easiest to
> point me to, but like I said, I've gone through the online docs, I've
> checked other resources online, and I'm still lost.
>
> AMK4
>

Re: Security

[Ashley M. Kirchner]

"Thalis A. Kalfigopoulos" wrote:

> I haven't read Mysql's authorization mechanism from Paul's book, but from the 
>Oreilly book and it was pretty comprehensive and intuitive. I suggest you borrow that 
>book from your local library or buy it.

Ya, it's already on its way...(the book that is).


> Before you pull the trigger, I also suggest you remember to always do a 'mysqladmin 
>reload' after every change you make to the mysql database, because otherwise you 
>won't be able to see the changes you make. This has caused me lots of pain in the 
>beginning.

Reloading (or flushing privileges) isn't the problem (well, it was when I first 
started a while back), that I've learned.  It's just how to set users up properly, 
etc., etc.

AMK4

--
W |
  |  I haven't lost my mind; it's backed up on tape somewhere.
  |
  ~
  Ashley M. Kirchner    .   303.442.6410 x130
  SysAdmin / Websmith   . 800.441.3873 x130
  Photo Craft Laboratories, Inc. .eFax 248.671.0909
  http://www.pcraft.com  . 3550 Arapahoe Ave #6
  .. .  .  . .   Boulder, CO 80303, USA



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security

[Lindsay Adams]

Ashley,

Are you using the GRANT statement?

That is the easiest way to get it right.

Read up on the GRANT SQL statement. Look at the examples...
Using regular inserts into the mysql database, can cause improper input into
the tables, which can (from personal experience) cause mysqld to not run.

It goes through a sanity check on start up, relating to security, and will
not start, until the mysql database is replaced with a clean secure one.

If you think you are pulling your hair out now, wait til this event occurs.

Read up on GRANT, and stop using INSERT.
Once you understand GRANT, you will see that it is much easier to add
privileges all the way down to the column level.



On 4/9/01 9:38 AM, "Ashley M. Kirchner" <[EMAIL PROTECTED]> wrote:

> 
>   Okay, I'm about to rip my hair out trying to figure this out, and I
> thought before I start looking for a gun, maybe I should ask..
> 
>   I need someone to explain the 'mysql' database to me.  I've tried
> reading about it, tried different settings, but I'm lost.  So far I've
> just been adding users and db's to the 'db' and 'user' tables, but
> something tells me that's not all there is to it.
> 
>   What are the other tables for?  And how's about adding a user that
> can only access (and change) their DB (assigned by me), and/or adding a
> (different) user that can create their own DB(s), yet not muck with
> anything else on the entire (mysql) system (and screw up other users).
> 
>   I'm willing to entertain even more literature if that's easiest to
> point me to, but like I said, I've gone through the online docs, I've
> checked other resources online, and I'm still lost.
> 
>   AMK4
> 
> --
> W |
> |  I haven't lost my mind; it's backed up on tape somewhere.
> |
> ~
> Ashley M. Kirchner    .   303.442.6410 x130
> SysAdmin / Websmith   . 800.441.3873 x130
> Photo Craft Laboratories, Inc. .eFax 248.671.0909
> http://www.pcraft.com  . 3550 Arapahoe Ave #6
> .. .  .  . .   Boulder, CO 80303, USA
> 
> 
> 
> -
> Before posting, please check:
>  http://www.mysql.com/manual.php   (the manual)
>  http://lists.mysql.com/   (the list archive)
> 
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> 


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php