Re: When to create a new user?
From: Richard Reina gatorre...@gmail.com I am writing a web application... As new users sign up for the application should each get their own MySQL username and password or is okay to execute their queries with the same (one generic) MySQL username and password? As others have said, it sounds like one SQL user. Think of MySQL users as roles, rather than users. Segregate these roles according to how much trust you have in the user behind the role, and how much damage that role could perform. You may want a separate MySQL user that can only INSERT, for example, but without DELETE permission. Be a light, not a judge. Be a model, not a critic. Be part of the solution, not part of the problem. -- Stephen R. Covey Jan Steinman, EcoReality Co-op -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: When to create a new user?
On 8/19/2015 9:24 AM, Reindl Harald wrote: Am 19.08.2015 um 15:18 schrieb Jim: On 8/19/2015 8:40 AM, Reindl Harald wrote: Am 19.08.2015 um 14:29 schrieb Richard Reina: I am writing a web application in perl that will create, edit, update and delete data from a MySQL database. I have written a perl module that will manage the connections (issue database handles ). As new users sign up for the application should each get their own MySQL username and password or is okay to execute their queries with the same (one generic) MySQL username and password? one generic for the application since you normally never ever should connect as root to your application it even don't have the permissions to add mysql-users how would you even imagine working with a usertable on your applications side which is for every user different - chicken/egg One generic, non-admin user is what you'll find in most apps. Some developers take the approach of creating several users based on level of operation and least privilege, particularly for public facing scripts. So, for example, if the operation is to delete data, that might be one user. Perhaps there is some very sensitive data in the environment and you'll create a given user for accessing that data and no other user has access to that data. Each user is given no greater access than is required based on the intent of that user. Then the given script connects with the appropriate user here. Of course, you should program against and have defenses for db-related vulnerabilities like SQL-injection, but the thinking with the multiple users is if you had a script that was vulnerable to some exploit, the damage would be limited to the privileges of the mysql user used to connect to your database. It's a bit harder to manage and requires some more planning up front, but it adds to damage control in case of a db related exploit. You'd make this call based on how sensitive and important your data is and how much effort you are willing to put into the planning and design. yes, but what has this all to do with As new users sign up for the application and create a own mysql-user for each application user? OP's question was generic on when to create db users. I provided an alternative (arguably more secure for public facing scripts) to a single user per app... again... depends on the value of the data and level of programming effort. Read it; don't read it; use it or don't. It's more information and adds to the education of anyone interested. If not used now, there might be a future case or someone else reading this that might consider the approach. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: When to create a new user?
Am 19.08.2015 um 15:18 schrieb Jim: On 8/19/2015 8:40 AM, Reindl Harald wrote: Am 19.08.2015 um 14:29 schrieb Richard Reina: I am writing a web application in perl that will create, edit, update and delete data from a MySQL database. I have written a perl module that will manage the connections (issue database handles ). As new users sign up for the application should each get their own MySQL username and password or is okay to execute their queries with the same (one generic) MySQL username and password? one generic for the application since you normally never ever should connect as root to your application it even don't have the permissions to add mysql-users how would you even imagine working with a usertable on your applications side which is for every user different - chicken/egg One generic, non-admin user is what you'll find in most apps. Some developers take the approach of creating several users based on level of operation and least privilege, particularly for public facing scripts. So, for example, if the operation is to delete data, that might be one user. Perhaps there is some very sensitive data in the environment and you'll create a given user for accessing that data and no other user has access to that data. Each user is given no greater access than is required based on the intent of that user. Then the given script connects with the appropriate user here. Of course, you should program against and have defenses for db-related vulnerabilities like SQL-injection, but the thinking with the multiple users is if you had a script that was vulnerable to some exploit, the damage would be limited to the privileges of the mysql user used to connect to your database. It's a bit harder to manage and requires some more planning up front, but it adds to damage control in case of a db related exploit. You'd make this call based on how sensitive and important your data is and how much effort you are willing to put into the planning and design. yes, but what has this all to do with As new users sign up for the application and create a own mysql-user for each application user? signature.asc Description: OpenPGP digital signature
Re: When to create a new user?
On 8/19/2015 8:40 AM, Reindl Harald wrote: Am 19.08.2015 um 14:29 schrieb Richard Reina: I am writing a web application in perl that will create, edit, update and delete data from a MySQL database. I have written a perl module that will manage the connections (issue database handles ). As new users sign up for the application should each get their own MySQL username and password or is okay to execute their queries with the same (one generic) MySQL username and password? one generic for the application since you normally never ever should connect as root to your application it even don't have the permissions to add mysql-users how would you even imagine working with a usertable on your applications side which is for every user different - chicken/egg One generic, non-admin user is what you'll find in most apps. Some developers take the approach of creating several users based on level of operation and least privilege, particularly for public facing scripts. So, for example, if the operation is to delete data, that might be one user. Perhaps there is some very sensitive data in the environment and you'll create a given user for accessing that data and no other user has access to that data. Each user is given no greater access than is required based on the intent of that user. Then the given script connects with the appropriate user here. Of course, you should program against and have defenses for db-related vulnerabilities like SQL-injection, but the thinking with the multiple users is if you had a script that was vulnerable to some exploit, the damage would be limited to the privileges of the mysql user used to connect to your database. It's a bit harder to manage and requires some more planning up front, but it adds to damage control in case of a db related exploit. You'd make this call based on how sensitive and important your data is and how much effort you are willing to put into the planning and design. Jim -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
When to create a new user?
I am writing a web application in perl that will create, edit, update and delete data from a MySQL database. I have written a perl module that will manage the connections (issue database handles ). As new users sign up for the application should each get their own MySQL username and password or is okay to execute their queries with the same (one generic) MySQL username and password? Thanks
Re: When to create a new user?
Am 19.08.2015 um 14:29 schrieb Richard Reina: I am writing a web application in perl that will create, edit, update and delete data from a MySQL database. I have written a perl module that will manage the connections (issue database handles ). As new users sign up for the application should each get their own MySQL username and password or is okay to execute their queries with the same (one generic) MySQL username and password? one generic for the application since you normally never ever should connect as root to your application it even don't have the permissions to add mysql-users how would you even imagine working with a usertable on your applications side which is for every user different - chicken/egg signature.asc Description: OpenPGP digital signature
Re: When to create a new user?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/19/2015 05:29 AM, Richard Reina wrote: As new users sign up for the application should each get their own MySQL username and password or is okay to execute their queries with the same (one generic) MySQL username and password? That is rather vague. What data is stored for each user? What are these queries that a user may perform? - -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iEYEARECAAYFAlXUvlgACgkQzTcr8Prq0ZPrHQCdFDqY9uEa1mS62LuUr7FhqzEa 6R4AoJu6L5Je6sXivtY31RPGgM8bIYv7 =vyyy -END PGP SIGNATURE- -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: When to create a new user?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/19/2015 10:06 AM, Richard Reina wrote: Data stored for each user would be a list of places visited that and details relating to those trips. The type of queries they would be able to perform be able to read, update and create new records. I see no reason to create a unique user account for this use case. Each user's data goes into a singe table, and a view based on the user's ID would restrict data access for each user. - -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iEYEARECAAYFAlXUv0QACgkQzTcr8Prq0ZOaXACdFrnbcxrJMsVq3cn6fzbfbdn4 iBoAnRX3USjmqnKWgdHGvuVBxrQnH++X =bhJj -END PGP SIGNATURE- -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
