This HOWTO discusses two (unrelated) issues with mylvmbackup: The minimal privileges required to take MySQL backups with mylvmbackup. Making (non compressed) file system copy of one’s data files. Minimal privileges Some just give mylvmbackup the root account, which is far too permissive. We now consider what the minimal requirements of mylvmbackup are. The queries mylvmbackup [...]
I’ve seen some passwords to take a few years from my life. I mean, we all know about dictionary words, right? And we’ve all seen Spaceballs, right? But choosing 12345 as your password is not the only careless option: there are many more! The more I get familiar with user’s password, the more I see [...]
This post follows Ronald Bradford’s More Basic MySQL Security, and Lenz Grimmer’s Basic MySQL Security: Providing passwords on the command line and More on MySQL password security. In Ronald’s post I’ve argued that passwords provided on command line are visible in plaintext on “ps aux”. Lenz has argued that this is incorrect, providing the source [...]
A long time missing feature in MySQL is temporarily blocking accounts: denying a user to log in, without affecting any other of her privileges. There is no such privilege as ‘LOGIN’ in the grants table, as the ability to log in is the most basic one MySQL allows. This basic privilege is called USAGE. I’ll [...]
And the following query: SELECT `;`.`*`.`.` FROM `;`.`*`; is valid as well. So are the following: DROP DATABASE IF EXISTS `;`; CREATE DATABASE `;`; CREATE TABLE `;`.`*` (`.` INT); CREATE TABLE `;`.““ (`.` INT); CREATE TABLE `;`.`$(ls)` (`.` INT);
MySQL’s security model is not as elaborate as other popular databases. It’s missing quite a lot. I wish to point out what I think are some very disturbing security holes, which may affect the database integrity. This post is not about Roles, Kerberos, IPs and such. It’s about simple MySQL features, which allow common, unprivileged [...]
I’ve run by quite a few triggers lately on production systems. In previous posts, I’ve written about problems solved with triggers. So here’s a compilation of some solutions based on triggers; and some problems which are not (yet?) solvable due to current triggers limitations. Triggers can be used to: Maintain integrity Enhance security Enhance logging [...]
Web applications face constant exploitation attempts. Those with a user base must keep their users’ private data, well… private. While the MySQL security model allows restricting users access to databases, tables and even columns, it has no built in feature for restricting the rows access within the given table. One cannot allow a user to [...]
When MySQL’s root password is lost and must be reset, there are two popular ways to create a new password. One of the options is far too popular, in my opinion. The preferred way of setting a root’s password is by using an init-file. The process for doing this is well explained in MySQL’s manual. [...]