'Security' Tag

  • mylvmbackup HOWTO: minimal privileges & filesystem copy

    August 17, 2010

    This HOWTO discusses two (unrelated) issues with mylvmbackup: The minimal privileges required to take MySQL backups with mylvmbackup. Making (non compressed) file system copy of one’s data files. Minimal privileges Some just give mylvmbackup the root account, which is far too permissive. We now consider what the minimal requirements of mylvmbackup are. The queries mylvmbackup [...]

  • Passwords which are bad for your health

    December 20, 2009

    I’ve seen some passwords to take a few years from my life. I mean, we all know about dictionary words, right? And we’ve all seen Spaceballs, right? But choosing 12345 as your password is not the only careless option: there are many more! The more I get familiar with user’s password, the more I see [...]

  • Even more on MySQL password security

    June 8, 2009

    This post follows Ronald Bradford’s More Basic MySQL Security, and Lenz Grimmer’s Basic MySQL Security: Providing passwords on the command line and More on MySQL password security. In Ronald’s post I’ve argued that passwords provided on command line are visible in plaintext on “ps aux”. Lenz has argued that this is incorrect, providing the source [...]

  • Blocking user accounts

    March 5, 2009

    A long time missing feature in MySQL is temporarily blocking accounts: denying a user to log in, without affecting any other of her privileges. There is no such privilege as ‘LOGIN’ in the grants table, as the ability to log in is the most basic one MySQL allows. This basic privilege is called USAGE. I’ll [...]

  • `;`.`*`.`.` is a valid column name

    February 12, 2009

    And the following query: SELECT `;`.`*`.`.` FROM `;`.`*`; is valid as well. So are the following: DROP DATABASE IF EXISTS `;`; CREATE DATABASE `;`; CREATE TABLE `;`.`*` (`.` INT); CREATE TABLE `;`.““ (`.` INT); CREATE TABLE `;`.`$(ls)` (`.` INT);

  • MySQL security: data integrity issues

    January 21, 2009

    MySQL’s security model is not as elaborate as other popular databases. It’s missing quite a lot. I wish to point out what I think are some very disturbing security holes, which may affect the database integrity. This post is not about Roles, Kerberos, IPs and such. It’s about simple MySQL features, which allow common, unprivileged [...]

  • Triggers Use Case Compilation, Part I

    January 5, 2009

    I’ve run by quite a few triggers lately on production systems. In previous posts, I’ve written about problems solved with triggers. So here’s a compilation of some solutions based on triggers; and some problems which are not (yet?) solvable due to current triggers limitations. Triggers can be used to: Maintain integrity Enhance security Enhance logging [...]

  • Using triggers to block malicious code: an example

    January 1, 2009

    Web applications face constant exploitation attempts. Those with a user base must keep their users’ private data, well… private. While the MySQL security model allows restricting users access to databases, tables and even columns, it has no built in feature for restricting the rows access within the given table. One cannot allow a user to [...]

  • Dangers of skip-grant-tables

    November 13, 2008

    When MySQL’s root password is lost and must be reset, there are two popular ways to create a new password. One of the options is far too popular, in my opinion. The preferred way of setting a root’s password is by using an init-file. The process for doing this is well explained in MySQL’s manual. [...]

 
Powered by Wordpress and MySQL. Theme by openark.org