What you are asking for is exactly what DEFINER security does. The
applicxation owner grants appuser the right to execute the procedure,
but not to SELECT from any tables. The procedure is then run with the
security attributes of the definer of the procedure, the application
owner, even though
When creating a stored procedure, you can set the sql security
characteristic to either definer or invoker. As an example, I have a
stored procedure that does a select from a table, and an application user
(appuser) that calls the stored procedure. If the sql security is set to
invoker, then
Title: Security Question
Hi All --
I have been a member of this list for a while but I actually have a question that I can't answer.
MySQL v4.1.14-nt on Win2k3 Server
I've got someone who is trying to get in, but I have locked it down. Methods used include, but are not limited
If it's a DoS attack then perhaps you should be speaking to your ISP and
getting that resolved rather than trying to work around the problem on
your side of things!
Having said that, you could possibly impose host level restrictions in
MySQL, but that could be a lot of work to modify your
[EMAIL PROTECTED] wrote:
MySQL has moved WELL past the 3.23.x lineage and is getting close to
retiring the 4.0.x lineage (it's only a rumor). So I suggest you update
Not completely a rumor; on August 2, Heikki wrote: As far as I know,
one release of 4.0 will still be built.
Considering the
Hi,
I have installed binary mysql version 3.23.58 downloaded from www.mysql.org.
In changelog from the documentation say that the release is from
september 2003 and the security bug is in March 2005.
What can I do ? How mysql provide updates?
Thanks!!
=
Security info:
Alejandro [EMAIL PROTECTED] wrote on 08/16/2005 03:01:59 PM:
Hi,
I have installed binary mysql version 3.23.58 downloaded from
www.mysql.org.
In changelog from the documentation say that the release is from
september 2003 and the security bug is in March 2005.
What can I do ? How mysql
I agree with you,
I will upgrade .
Thanks for the advice.
On 8/16/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Alejandro [EMAIL PROTECTED] wrote on 08/16/2005 03:01:59 PM:
Hi,
I have installed binary mysql version 3.23.58 downloaded from
www.mysql.org.
In changelog
would not be too significant?
Best regards,
Andy
-Original Message-
From: Curley, Thomas [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 13:22
To: [EMAIL PROTECTED]
Subject: RE: Security Question
Importance: High
thanks for reply - the requirement comes from a security audit -
so
- Someone copies the DB files to another box, starts a mysql
instance, loads the DB and presto - views the 'private' data !!!
PD Sure. That's why you establish filesystem level access privileges so that
PD only the mysql user can copy them in the first place.
Some DBMSs allow to setup
Hi!
On Nov 27, DeBug wrote:
- Someone copies the DB files to another box, starts a mysql
instance, loads the DB and presto - views the 'private' data !!!
PD Sure. That's why you establish filesystem level access privileges so that
PD only the mysql user can copy them in the first place.
I am trying to find a solution to the following security issue with MySql DB on linux
- Someone copies the DB files to another box, starts a mysql instance, loads the DB
and presto - views the 'private' data !!!
Ideally I would like to know if there is any option in MySql to store the DB files
Thomas,
I am trying to find a solution to the following security issue with MySql DB on linux
- Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!!
Well, someone should not have access rights to the DB files on the
first
If there is no solution to this then MySql should not be used on internet accessible
boxes for dynamic web sites
Thomas
-Original Message-
From: Fagyal, Csongor [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 12:51
To: Curley, Thomas
Cc: [EMAIL PROTECTED]
Subject: Re: Security Question
Thomas,
I
On Wednesday 26 November 2003 13:22, Curley, Thomas wrote:
Another Assumption
--
Encrypting / decrypting all data on the fly would be too expensive and
grind the app to a halt
So the question again :-
Any ideas on how to avoid having data files stored with absolutely
:51
To: Curley, Thomas
Cc: [EMAIL PROTECTED]
Subject: Re: Security Question
Thomas,
I am trying to find a solution to the following security issue with MySql
DB on linux
- Someone copies the DB files to another box, starts a mysql instance,
loads the DB and presto - views the 'private
, the more
roadblocks you put between a potential hacker and your sensitive data, the
better.
-M
-Original Message-
From: Curley, Thomas [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 8:22 AM
To: [EMAIL PROTECTED]
Subject: RE: Security Question
Importance: High
thanks for reply
PROTECTED]
Sent: 26 November 2003 13:36
To: Curley, Thomas; [EMAIL PROTECTED]
Subject: RE: Security Question
One of the first things that I did at my former job was to turn off all
external-facing network adapters to our DB machines. If you're fortunate
enough that your DB resides on it's own box
On Wednesday 26 November 2003 13:43, Curley, Thomas wrote:
Mike
Correct and this is the architecture. The internet facing box has a
routable IP, the DB box is separate and is not ext routable.
The issue the security review highlighted strongly was the fact that if a
hacker got access to
To the chap who siad its not a DB issue - I will check with Oracle but I'm
sure that dropping in a directory in oracle will not give you full access
to a database (a clear one that is)
The chap was me :-) I'm sure it does on oracle. Once you have an Oracle
installation and got hold of all
Hacker gets in this way:
-[Webserver][rooted]-[DBServer][rooted]-File_Access(/var/lib/mysql/database)
I'd say the major security breach is already when the Webserver is rooted.^
If he gets to your webserver he could still read WHATEVER DATA he wants from
your database with the information he
Hi!
On Nov 26, Curley, Thomas wrote:
thanks for reply - the requirement comes from a security audit - so
try to think in terms of a hacker
Obviously and (I had assumed)
1.- the files would have tight unix security file permissions
applied
2.- indeed the key would be stored on an
Stefan Kuhn wrote:
To the chap who siad its not a DB issue - I will check with Oracle but I'm
sure that dropping in a directory in oracle will not give you full access
to a database (a clear one that is)
The chap was me :-) I'm sure it does on oracle. Once you have an Oracle
installation
At 07:22 AM 11/26/2003, you wrote:
Another Assumption
--
Encrypting / decrypting all data on the fly would be too expensive and
grind the app to a halt
Not true. There are some databases that can encrypt records on the fly
without any speed degradation ( 1%) using either
Curley, Thomas wrote:
I am trying to find a solution to the following security issue with MySql DB on linux
- Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!!
As all the other posters have mentioned, you should have
At 16:13 -0500 11/26/03, Kevin Carlson wrote:
Curley, Thomas wrote:
I am trying to find a solution to the following security issue with
MySql DB on linux
- Someone copies the DB files to another box, starts a mysql
instance, loads the DB and presto - views the 'private' data !!!
As all the
At 03:21 PM 11/26/2003, you wrote:
If someone can copy your database files, you're hosed. All the attacker
need do is start the server with --skip-grant-tables, and he can can
connect to it with no password, and has complete access to any files
managed by the server.
Paul Curley,
The mysql docs, in the security section, warns of special
characters encoded in dynamic urls. IE., %27 (`'`). Is
there a hazard with the string '%27' being in the database?
Or is this just another case of protecting against the
insertion of the `'` character? In other words, if I
am already
Hello,
Think that we have a database named DATABASE1, and table named TABLE1, and fields named FIELD1, FIELD1,FIELD2,FIELD3,FIELD4
You want to give a specific permission to a user named USER1
For ex, you give only SELECT permission to USER1 for FIELD1 and FIELD4 in TABLE1 and DATABASE1.
Greetings,
I have been working with a software provider whose software db
configuration uses the default mysql installation (ie, root, no
password). They contend that since the mysql server itself is not
shared (ie, installed on a vps for a single user) that there is no need
to add a
At 7:53 -0800 3/3/03, Nicole Lallande wrote:
Greetings,
I have been working with a software provider whose software db
configuration uses the default mysql installation (ie, root, no
password). They contend that since the mysql server itself is not
shared (ie, installed on a vps for a single
Daniel,
Monday, October 28, 2002, 1:06:10 AM, you wrote:
DLS In my mysql.db file, I have some lines like:
DLS %.private | somedb | someuser | Y | Y | Y | Y | Y | Y | N | Y | Y | Y
DLS So, I have an internal domain called private, those hosts are in an
DLS internal DNS, and can be reverse
In my mysql.db file, I have some lines like:
%.private | somedb | someuser | Y | Y | Y | Y | Y | Y | N | Y | Y | Y
So, I have an internal domain called private, those hosts are in an
internal DNS, and can be reverse resolved. The only way I can manage to
connect to somedb as someuser is to
Mike,
Thursday, August 15, 2002, 12:45:06 AM, you wrote:
MH Hi there,
MH I posted this a few days ago and recieved no responses, so I thought I would
MH post it again:
Mike, I answered you yesterday.
MH Hi All;
MH I am working on a front end to my database, but I am running into a bit of
MH
Hi there,
I posted this a few days ago and recieved no responses, so I thought I would
post it again:
Hi All;
I am working on a front end to my database, but I am running into a bit of
trouble. I have a user who has the proper privileges and grant option create
other users, but I need to know
Hello everyone,
I was wondering if anyone could help me out and explain a bit about the
FILE permissions and how they relate to two particular scenarios:
In both cases MySQL is running on SunOS 5.7 and running MySQL client
version 3.22.23b
MySQL UserA has permissions only on DatabaseA and is
At 11:13 PM -0400 5/8/01, A. Chris Nichols wrote:
Hello everyone,
I was wondering if anyone could help me out and explain a bit about
the FILE permissions and how they relate to two particular scenarios:
In both cases MySQL is running on SunOS 5.7 and running MySQL client
version 3.22.23b
Hi,
I am typing the following sequence of commands and running into an access
denied message.
mysql -uusername -ppassword -hwww.myhost.com dbname
the bit above works and takes me to my mysql prompt and i am logged into my
server/database.
then i try the following and i get the error message.
On 27.02.2001 12:00:38 wrote:
then i try the following and i get the error message.
WHAT error message?
load data local inifile "c:\text.txt" into table dbname.tblname fields
terminated by ',' ;
Hmm, as you don't tell us the error message that you're getting, it's hard to
help you.
I
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 27, 2001 4:30 PM
Subject: Security Question
Hi,
I am typing the following sequence of commands and running into an access
denied message.
mysql -uusername -ppassword -hwww.myhost.com dbname
the bit above
40 matches
Mail list logo