RE: The Security of MySQL
Respondendo,
quinta-feira, 27 de fevereiro de 2003, 13:32:39, Mensagem Original:
AN> Are you using Windows? If so, this root/mysql user talk will be
AN> meaningless. You can still make the directory secure and only touchable
AN> by the user that mysql is running as. Is this what you need?
nope , the security i want is the "protect the DATA of tables" with a
password or encriptation mode...
functions like ENCODE e DECODE is very useful for this , but the
ENCORE('STRING','PASSWORD') is visible if the log-update is enabled ,
the MySQL developer TEAM need to "MASQ" the ENCODE and DECODE
funcions do not print the PASSWORD on log-update file... if this work , the
security of DATA on MySQL is very good.
is possible ?
My System is MySQL 4.0.11-PRO/InnoDB on Linux/Windows :)
-
++ Dyego Souza do Carmo ++ Dep. Desenvolvimento
-
E S C R I B A I N F O R M A T I C A
-
The only stupid question is the unasked one (somewhere in Linux's HowTo)
Linux registred user : #230601
--ICQ : 221602060
$ look into "my eyes" Phone : +55 041 296-2311 r.112
look: cannot open my eyes Fax : +55 041 296-6640
-
Reply: [EMAIL PROTECTED]
-
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: The Security of MySQL
Are you using Windows? If so, this root/mysql user talk will be meaningless. You can still make the directory secure and only touchable by the user that mysql is running as. Is this what you need? > -Original Message- > From: Dyego Souza do Carmo [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 26, 2003 12:13 PM > To: [EMAIL PROTECTED] > Subject: The Security of MySQL > > > > > I'm using MySQL-Pro+InnoDB 4.0.11 and i have a BIG problem... > My users is "hacking the database" because the MySQL system tables are > stored in .MYD format and to "hack database" is simple , only rename > the database and "copy" the blank database... restart MySQL and the > permissions is FULL FOR ALL USERS... > > > Exists in MySQL routines to ENCRYPT tables ? or the data inside tables > ? > > the functions like ENCODE and DECODE print a "password" in log file ( > IN CLEAR TEXT) and this is terrible for me ! > > Exists the PASSWORD on CREATE TABLE STATEMENT but i'm using and is > same without the clause. > > > Please MySQL-Team and users... The security of MySQL is too simple ? > only rename and the database is "opened for world" ? > > please help in advance ;) > > > Tanks > Tanks very much > > > > > sql,query,innodb,mysql > > > > > -- > --- > ++ Dyego Souza do Carmo ++ Dep. Desenvolvimento > -- > --- > E S C R I B A I N F O R M A T I C A > -- > --- > The only stupid question is the unasked one (somewhere in > Linux's HowTo) > Linux registred user : #230601 > --ICQ : 221602060 > > $ look into "my eyes" Phone : +55 041 > 296-2311 r.112 > look: cannot open my eyes Fax : +55 041 > 296-6640 > -- > --- >Reply: [EMAIL PROTECTED] > > > - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: The Security of MySQL
Hi Dyego, On Wed, Feb 26, 2003 at 04:04:36PM -0300, Dyego Souza do Carmo wrote: > MM> You should use the filesystem security your operating system provides to > MM> prevent common users from copying the database files. The directory that > MM> the database files resides in only needs to allow access by the user > MM> that the MySQL server is running as. If you do this, only users who know > MM> the MySQL user's password can 'copy' the databases. > > I work with notary officers on "brazil" ... and my product i sell ! , the "users" > (competitors) can be "copy" my system to sell to other users... this > is terrible to my software house... the MySQL is not prepared for this > ? > > exists the method to secure a table with "password" ? or the secure is > only the filesystem permissions ? > Securing a table with a password or even using encryption would make things more difficult for your "users" but by no means impossible. You give them the application that contains the password or encryption key. They just need to find it in your application then, which is more difficult but not impossible. Sue them! (that's what copyright laws are for) Regards, Fred. -- Fred van Engen XB Networks B.V. email: [EMAIL PROTECTED]Televisieweg 2 tel: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: The Security of MySQL
I your customers have root access to their machine, then there is no security, nor can there be. Dyego Souza do Carmo wrote: MM> You should use the filesystem security your operating system provides to MM> prevent common users from copying the database files. The directory that MM> the database files resides in only needs to allow access by the user MM> that the MySQL server is running as. If you do this, only users who know MM> the MySQL user's password can 'copy' the databases. I work with notary officers on "brazil" ... and my product i sell ! , the "users" (competitors) can be "copy" my system to sell to other users... this is terrible to my software house... the MySQL is not prepared for this ? exists the method to secure a table with "password" ? or the secure is only the filesystem permissions ? - ++ Dyego Souza do Carmo ++ Dep. Desenvolvimento - E S C R I B A I N F O R M A T I C A - The only stupid question is the unasked one (somewhere in Linux's HowTo) Linux registred user : #230601 --ICQ : 221602060 $ look into "my eyes" Phone : +55 041 296-2311 r.112 look: cannot open my eyes Fax : +55 041 296-6640 - Reply: [EMAIL PROTECTED] - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: The Security of MySQL
MM> You should use the filesystem security your operating system provides to MM> prevent common users from copying the database files. The directory that MM> the database files resides in only needs to allow access by the user MM> that the MySQL server is running as. If you do this, only users who know MM> the MySQL user's password can 'copy' the databases. I work with notary officers on "brazil" ... and my product i sell ! , the "users" (competitors) can be "copy" my system to sell to other users... this is terrible to my software house... the MySQL is not prepared for this ? exists the method to secure a table with "password" ? or the secure is only the filesystem permissions ? - ++ Dyego Souza do Carmo ++ Dep. Desenvolvimento - E S C R I B A I N F O R M A T I C A - The only stupid question is the unasked one (somewhere in Linux's HowTo) Linux registred user : #230601 --ICQ : 221602060 $ look into "my eyes" Phone : +55 041 296-2311 r.112 look: cannot open my eyes Fax : +55 041 296-6640 - Reply: [EMAIL PROTECTED] - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: The Security of MySQL
If the databases are owned by mysql.mysql, how can this happen? You don't allow users to become the mysql user, do you? Dyego Souza do Carmo wrote: I'm using MySQL-Pro+InnoDB 4.0.11 and i have a BIG problem... My users is "hacking the database" because the MySQL system tables are stored in .MYD format and to "hack database" is simple , only rename the database and "copy" the blank database... restart MySQL and the permissions is FULL FOR ALL USERS... Exists in MySQL routines to ENCRYPT tables ? or the data inside tables ? the functions like ENCODE and DECODE print a "password" in log file ( IN CLEAR TEXT) and this is terrible for me ! Exists the PASSWORD on CREATE TABLE STATEMENT but i'm using and is same without the clause. Please MySQL-Team and users... The security of MySQL is too simple ? only rename and the database is "opened for world" ? please help in advance ;) Tanks Tanks very much sql,query,innodb,mysql - ++ Dyego Souza do Carmo ++ Dep. Desenvolvimento - E S C R I B A I N F O R M A T I C A - The only stupid question is the unasked one (somewhere in Linux's HowTo) Linux registred user : #230601 --ICQ : 221602060 $ look into "my eyes" Phone : +55 041 296-2311 r.112 look: cannot open my eyes Fax : +55 041 296-6640 - Reply: [EMAIL PROTECTED] - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: The Security of MySQL
Dyego Souza do Carmo wrote: Tanks Tanks very much uh, we have war already?? (sorry couldn't resist) -- Manuel Kiessling sql,query,innodb,mysql - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: The Security of MySQL
Hi, The problem is not with MySQL. The problem is with the users having access to the database files. Lock up the directory that the files are stored in so that only user MySQL and the administrator (root) can access them. Also, revoke the privileges of any user, other than MySQL and the administrator, to start or stop the MySQL server process. If it is possible, remove all user access to the box your database is running on. John Griffin -Original Message- From: Dyego Souza do Carmo [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 12:13 PM To: [EMAIL PROTECTED] Subject: The Security of MySQL I'm using MySQL-Pro+InnoDB 4.0.11 and i have a BIG problem... My users is "hacking the database" because the MySQL system tables are stored in .MYD format and to "hack database" is simple , only rename the database and "copy" the blank database... restart MySQL and the permissions is FULL FOR ALL USERS... Exists in MySQL routines to ENCRYPT tables ? or the data inside tables ? the functions like ENCODE and DECODE print a "password" in log file ( IN CLEAR TEXT) and this is terrible for me ! Exists the PASSWORD on CREATE TABLE STATEMENT but i'm using and is same without the clause. Please MySQL-Team and users... The security of MySQL is too simple ? only rename and the database is "opened for world" ? please help in advance ;) Tanks Tanks very much sql,query,innodb,mysql - ++ Dyego Souza do Carmo ++ Dep. Desenvolvimento - E S C R I B A I N F O R M A T I C A - The only stupid question is the unasked one (somewhere in Linux's HowTo) Linux registred user : #230601 --ICQ : 221602060 $ look into "my eyes" Phone : +55 041 296-2311 r.112 look: cannot open my eyes Fax : +55 041 296-6640 - Reply: [EMAIL PROTECTED] - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: The Security of MySQL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dyego Souza do Carmo wrote: I'm using MySQL-Pro+InnoDB 4.0.11 and i have a BIG problem... My users is "hacking the database" because the MySQL system tables are stored in .MYD format and to "hack database" is simple , only rename the database and "copy" the blank database... restart MySQL and the permissions is FULL FOR ALL USERS... Exists in MySQL routines to ENCRYPT tables ? or the data inside tables ? the functions like ENCODE and DECODE print a "password" in log file ( IN CLEAR TEXT) and this is terrible for me ! Exists the PASSWORD on CREATE TABLE STATEMENT but i'm using and is same without the clause. Please MySQL-Team and users... The security of MySQL is too simple ? only rename and the database is "opened for world" ? please help in advance ;) You should use the filesystem security your operating system provides to prevent common users from copying the database files. The directory that the database files resides in only needs to allow access by the user that the MySQL server is running as. If you do this, only users who know the MySQL user's password can 'copy' the databases. -Mark - -- MySQL 2003 Users Conference -> http://www.mysql.com/events/uc2003/ For technical support contracts, visit https://order.mysql.com/?ref=mmma __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Mark Matthews <[EMAIL PROTECTED]> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer - JDBC/Java /_/ /_/\_, /___/\___\_\___/ Flossmoor (Chicago), IL USA <___/ www.mysql.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.1.90 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+XP/YtvXNTca6JD8RAk/6AKCb8+zk4nZ2FtJUSOaSe6IPLTBYwACfWXSy 7F+JTMjYwP1uP+DVaUL0+1U= =BC0R -END PGP SIGNATURE- - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
