Security seems to have no boundaries. I’ve been tightening our database security lately, and it seems like this could go on forever: from app to console to privileges to server, there are so many aspects to managing database security. Unfortunately, this is a field where MySQL is in particular weak, and with very little work done in the many years I’ve been working with MySQL.
My very own top-wanted security features for MySQL follows. Surely this is but a small subset, your mileage may vary.
Autherntication-only SSL
By default, MySQL client API is unencrypted and passwords are sent in cleartext. MySQL supports SSL, but it an “all or nothing” deal: if you want to use SSL, then everything goes by SSL: any query, SELECT, DDL and whatnot.
[UPDATE]: Thanks to Davi & Jan for correcting me on this: passwords are not sent via cleartext. I’m not sure by which constellation I saw cleartext passwords being sent — but obviously that was long time ago. Just verified via tcpdump, got “mysql_native_password” message and no cleartext password. Lesson learned!
Roles
Need I elaborate? This is a fundamental construct in a database grant system. The effort of maintaining multiple accounts with similar/identical privileges is overwhelming. (PS I haven’t used Securich to date)
Host aggregation
In MySQL the combination of user+host makes for a distinct account. Thus, ‘gromit’@’192.168.%’ is a completely different account than ‘gromit’@’10.10.%’. I get the idea: you can have more privileges to, say, gromit@localhost than for gromit@’192.%’. In practice, this only makes a headache. In all my years, I have never encountered nor designed a privilege set where two accounts of the same user had different set of privileges. Never ever ever. It is confusing and pointless: if an account has a different set of roles, just call it by another name!
Had we had roles, that would be less painful; but my opinion is that an account should be identified by user only, not by user+host. The ‘host’ part should just indicate the whitelist of machines from which the user is allowed to connect.
Host blacklist
Speaking of whitelist, it would be great to have a host blacklist. If I wanted to grant access to ‘gromit’@’192.168.%’ except for ‘192.168.10.%’ — well, I would have to whitelist all the possible subnets. I can’t exclude a set of hosts.
Catalogues
Another common construct not available in MySQL: a level above “schema” and below “server”. The need for catalogues is in particular obvious when you want to grant some user SELECT access to all your schemas. Ahem, excluding, of course, the mysql schema… If I could create a “user catalogue”, as opposed to “system catalogue”, then I would have been able to GRANT SELECT ON CATALOGUE user.* TO my_user@localhost, and this would apply to all databases in that catalogue.
Privileges auditing
I’ve spent the last week or so restricting privileges to all accounts. This is hard work, because you want to make sure you’re not revoking privileges which are required by the system (in which case I would either choose not to revoke, or create a new dedicated account with requested set of privileges). It would be so much fun if I could turn a flag on, like “SET GLOBAL audit_privileges := 1”, and have a ++counter for every time a privilege check is made per account.
I guess we could go on… On a brighter note, I’ve been using the audit plugin interface by writing a login audit plugin with very good results (= good auditing & important insights); the (simple) code will be released shortly as open source; I’ll write more on this at a later stage.
Hi Shlomi,
FYI, one can implement host blacklists today:
http://mysqlblog.fivefarmers.com/2013/08/30/implementing-a-host-blacklist-with-mysql-privileges/
Be warned, though: it relies on the behavior that treats the same user as different accounts when the matching host differs. 🙂
Todd
In theory we’re all supposed to have an only my views disclaimer of similar form to the one I use, that references the correct place to go to for an official view. But it’s possible that I’m the only one of us who has both read the rule and tries to follow it a bit. 🙂
I probably wouldn’t usually want to manage most users to user-specific database accounts and that isn’t how Wikipedia does it. But I would want to split read, write and higher permissions by database account, so only the portions of the application code that need the permissions are vulnerable to attacks that might abuse the higher permissions.
In general I agree about topology and I think that most places would be happy with one user name and multiple locations and would choose not to have the same user name being a different person or password when coming from different locations. But I can see that restriction being irritating in a multiple office large environment where it could end up blocking people from using preferred names because of naming conflicts with those in other offices. Probably not enough DBAs for it to matter in most businesses.
I think you’re doing a good job of describing the most common cases and wants. An interesting challenge for us is making that easy while also not blocking the others.
Todd,
This is very interesting! I’ll need to test this with some authentication plugin (or write my own “reject plugin”). If this turns out to work well – it’s a good enough solution for me!
Thanks
Re “Unfortunately, this is a field where MySQL is in particular weak, and with very little work done in the many years I’ve been working with MySQL”.
I think we made that claim obsolete in 5.6. 🙂 You might find it useful to read these things:
http://www.mysqlperformanceblog.com/2013/08/17/mysql-5-6-security-vs-ease-of-use/
Randomly assigned root password instead of blank, then forced to change that before you can use the account. Seems like quite an improvement.
How about the password validation plugin, described at http://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html ?
Or perhaps the SHA-256 authentication plugin for more secure password hashing: http://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html ?
And maybe the removal of passwords from logging: http://dev.mysql.com/doc/refman/5.6/en/password-logging.html ?
There’s more, of course. What we’re trying to do is get it more secure by default.
The greater focus on security mostly started to become visible in 5.6 though of course that means the work started a couple of years earlier. Easy enough to miss it if you didn’t look at the security changes in 5.6.
We do still have an education challenge, of course. One part of which is helping people like you to know what we’re doing so you can pass the word on and get more people using the improved security capabilities.
There’s still more to do and Todd has been coming up with some really good more secured by default ideas that I hope to see in 5.7.