Re: Stored Procedure Security Question

What you are asking for is exactly what DEFINER security does. The applicxation owner grants appuser the right to execute the procedure, but not to SELECT from any tables. The procedure is then run with the security attributes of the definer of the procedure, the application owner, even though

Stored Procedure Security Question

When creating a stored procedure, you can set the sql security characteristic to either definer or invoker. As an example, I have a stored procedure that does a select from a table, and an application user (appuser) that calls the stored procedure. If the sql security is set to invoker, then

Re: Security Question

If it's a DoS attack then perhaps you should be speaking to your ISP and getting that resolved rather than trying to work around the problem on your side of things! Having said that, you could possibly impose host level restrictions in MySQL, but that could be a lot of work to modify your exis

Security Question

Title: Security Question Hi All -- I have been a member of this list for a while but I actually have a question that I can't answer. MySQL v4.1.14-nt on Win2k3 Server I've got someone who is trying to get in, but I have locked it down. Methods used include, but are not limite

Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711

[EMAIL PROTECTED] wrote: MySQL has moved WELL past the 3.23.x lineage and is getting close to retiring the 4.0.x lineage (it's only a rumor). So I suggest you update Not completely a rumor; on August 2, Heikki wrote: "As far as I know, one release of 4.0 will still be built." Considering th

Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711

I agree with you, I will upgrade . Thanks for the advice. On 8/16/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Alejandro <[EMAIL PROTECTED]> wrote on 08/16/2005 03:01:59 PM: > > > > Hi, > > > > I have installed binary mysql version 3.23.58 downloaded from > www.mysql.org. >

Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711

Alejandro <[EMAIL PROTECTED]> wrote on 08/16/2005 03:01:59 PM: > Hi, > > I have installed binary mysql version 3.23.58 downloaded from www.mysql.org. > In changelog from the documentation say that the release is from > september 2003 and the security bug is in March 2005. > What can I do ? How

security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711

Hi, I have installed binary mysql version 3.23.58 downloaded from www.mysql.org. In changelog from the documentation say that the release is from september 2003 and the security bug is in March 2005. What can I do ? How mysql provide updates? Thanks!! = Security info: http://cve.mitre.or

Re: Security Question

Hi! On Nov 27, DeBug wrote: > >>>- Someone copies the DB files to another box, starts a mysql > >>>instance, loads the DB and presto - views the 'private' data !!! > >>> > > PD> Sure. That's why you establish filesystem level access privileges so that > PD> only the mysql user can copy them in t

Re[2]: Security Question

>>>- Someone copies the DB files to another box, starts a mysql >>>instance, loads the DB and presto - views the 'private' data !!! >>> PD> Sure. That's why you establish filesystem level access privileges so that PD> only the mysql user can copy them in the first place. Some DBMSs allow to setu

RE: Security Question

erver would not be too significant? Best regards, Andy > -Original Message- > From: Curley, Thomas [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 13:22 > To: [EMAIL PROTECTED] > Subject: RE: Security Question > Importance: High > > > thanks for reply - the r

Re: Security Question

At 03:21 PM 11/26/2003, you wrote: If someone can copy your database files, you're hosed. All the attacker need do is start the server with --skip-grant-tables, and he can can connect to it with no password, and has complete access to any files managed by the server. Paul & Curley,

Re: Security Question

At 16:13 -0500 11/26/03, Kevin Carlson wrote: Curley, Thomas wrote: I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! As all the ot

Re: Security Question

Curley, Thomas wrote: I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! As all the other posters have mentioned, you should have ti

RE: Security Question

At 07:22 AM 11/26/2003, you wrote: Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt Not true. There are some databases that can encrypt records on the fly without any speed degradation (< 1%) using either Blowfis

Re: Security Question

Stefan Kuhn wrote: To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) The chap was me :-) I'm sure it does on oracle. Once you have an Oracle installation and

Re: Security Question

Hi! On Nov 26, Curley, Thomas wrote: > thanks for reply - the requirement comes from a security audit - so > try to think in terms of a hacker > > Obviously and (I had assumed) > 1.- the files would have tight unix security file permissions > applied > 2.- indeed the key would be stored o

Re: Security Question

Hacker gets in this way: ->[Webserver][rooted]->[DBServer][rooted]->File_Access(/var/lib/mysql/database) I'd say the "major security breach" is already when the Webserver is rooted.^ If he gets to your webserver he could still read WHATEVER DATA he wants from your database with the information he

Re: Security Question

> To the chap who siad its not a DB issue - I will check with Oracle but I'm > sure that dropping in a directory in oracle will not give you full access > to a database (a clear one that is) The chap was me :-) I'm sure it does on oracle. Once you have an Oracle installation and got hold of all da

Re: Security Question

On Wednesday 26 November 2003 13:43, Curley, Thomas wrote: > Mike > > Correct and this is the architecture. The internet facing box has a > routable IP, the DB box is separate and is not ext routable. > > The issue the security review highlighted strongly was the fact that if a > hacker got access

RE: Security Question

EMAIL PROTECTED] Sent: 26 November 2003 13:36 To: Curley, Thomas; [EMAIL PROTECTED] Subject: RE: Security Question One of the first things that I did at my former job was to turn off all external-facing network adapters to our DB machines. If you're fortunate enough that your DB resides on it

RE: Security Question

g location, the more roadblocks you put between a potential hacker and your sensitive data, the better. -M -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 8:22 AM To: [EMAIL PROTECTED] Subject: RE: Security Question Importance: High t

Re: Security Question

Thomas > > > > > > > -Original Message- > From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 12:51 > To: Curley, Thomas > Cc: [EMAIL PROTECTED] > Subject: Re: Security Question > > > Thomas, > > >I am trying to find a sol

Re: Security Question

On Wednesday 26 November 2003 13:22, Curley, Thomas wrote: > Another Assumption > -- > Encrypting / decrypting all data on the fly would be too expensive and > grind the app to a halt > > So the question again :- > > Any ideas on how to avoid having data files stored with abso

RE: Security Question

solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas

Re: Security Question

Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, "someone" should not have access rights to the DB files on the firs

Security Question

I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Ideally I would like to know if there is any option in MySql to store the DB files i

Security Question: dynamic urls.

The mysql docs, in the security section, warns of special characters encoded in dynamic urls. IE., %27 (`'`). Is there a hazard with the string '%27' being in the database? Or is this just another case of protecting against the insertion of the `'` character? In other words, if I am already escapin

Security question: Possible to hide table structure? I couldn't find...

Hello,   Think that we have a database named DATABASE1, and table named TABLE1, and fields named FIELD1, FIELD1,FIELD2,FIELD3,FIELD4   You want to give a specific permission to a user named USER1   For ex, you give only SELECT permission to USER1 for FIELD1 and FIELD4 in TABLE1 and DATABASE1.

Re: default installation and security question

At 7:53 -0800 3/3/03, Nicole Lallande wrote: Greetings, I have been working with a software provider whose software db configuration uses the default mysql installation (ie, root, no password). They contend that since the mysql server itself is not shared (ie, installed on a vps for a single u

default installation and security question

Greetings, I have been working with a software provider whose software db configuration uses the default mysql installation (ie, root, no password). They contend that since the mysql server itself is not shared (ie, installed on a vps for a single user) that there is no need to add a password

re: Security question

Daniel, Monday, October 28, 2002, 1:06:10 AM, you wrote: DLS> In my mysql.db file, I have some lines like: DLS> %.private | somedb | someuser | Y | Y | Y | Y | Y | Y | N | Y | Y | Y DLS> So, I have an internal domain called private, those hosts are in an DLS> internal DNS, and can be reverse

Security question

In my mysql.db file, I have some lines like: %.private | somedb | someuser | Y | Y | Y | Y | Y | Y | N | Y | Y | Y So, I have an internal domain called private, those hosts are in an internal DNS, and can be reverse resolved. The only way I can manage to connect to "somedb" as "someuser" is t

Re: Security question

Mike, Thursday, August 15, 2002, 12:45:06 AM, you wrote: MH> Hi there, MH> I posted this a few days ago and recieved no responses, so I thought I would MH> post it again: Mike, I answered you yesterday. MH> Hi All; MH> I am working on a front end to my database, but I am running into a bit of

Security question

Hi there, I posted this a few days ago and recieved no responses, so I thought I would post it again: Hi All; I am working on a front end to my database, but I am running into a bit of trouble. I have a user who has the proper privileges and grant option create other users, but I need to know th

Re: FILE Permission Security Question

At 11:13 PM -0400 5/8/01, A. Chris Nichols wrote: >Hello everyone, > >I was wondering if anyone could help me out and explain a bit about >the FILE permissions and how they relate to two particular scenarios: > >In both cases MySQL is running on SunOS 5.7 and running MySQL client >version 3.22.

FILE Permission Security Question

Hello everyone, I was wondering if anyone could help me out and explain a bit about the FILE permissions and how they relate to two particular scenarios: In both cases MySQL is running on SunOS 5.7 and running MySQL client version 3.22.23b MySQL UserA has permissions only on DatabaseA and is

Re: Security Question

heers Sajan - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 4:30 PM Subject: Security Question Hi, I am typing the following sequence of commands and running into an access denied message. mysql -uusername -p

Antwort: Security Question

On 27.02.2001 12:00:38 wrote: > then i try the following and i get the error message. WHAT error message? > > load data local inifile "c:\text.txt" into table dbname.tblname fields > terminated by ',' ; Hmm, as you don't tell us the error message that you're getting, it's hard to help you. I

Security Question

Hi, I am typing the following sequence of commands and running into an access denied message. mysql -uusername -ppassword -hwww.myhost.com dbname the bit above works and takes me to my mysql prompt and i am logged into my server/database. then i try the following and i get the error message.