MySQL security top wish list

Security seems to have no boundaries. I’ve been tightening our database security lately, and it seems like this could go on forever: from app to console to privileges to server, there are so many aspects to managing database security. Unfortunately, this is a field where MySQL is in particular weak, and with very little work done in the many years I’ve been working with MySQL.

My very own top-wanted security features for MySQL follows. Surely this is but a small subset, your mileage may vary.

Autherntication-only SSL

By default, MySQL client API is unencrypted and passwords are sent in cleartext. MySQL supports SSL, but it an “all or nothing” deal: if you want to use SSL, then everything goes by SSL: any query, SELECT, DDL and whatnot.

[UPDATE]: Thanks to Davi & Jan for correcting me on this: passwords are not sent via cleartext. I’m not sure by which constellation I saw cleartext passwords being sent — but obviously that was long time ago. Just verified via tcpdump, got “mysql_native_password” message and no cleartext password. Lesson learned!

Roles

Need I elaborate? This is a fundamental construct in a database grant system. The effort of maintaining multiple accounts with similar/identical privileges is overwhelming. (PS I haven’t used Securich to date)

Host aggregation

In MySQL the combination of user+host makes for a distinct account. Thus, ‘gromit’@’192.168.%’ is a completely different account than ‘gromit’@’10.10.%’. I get the idea: you can have more privileges to, say, gromit@localhost than for gromit@’192.%’. In practice, this only makes a headache. In all my years, I have never encountered nor designed a privilege set where two accounts of the same user had different set of privileges. Never ever ever. It is confusing and pointless: if an account has a different set of roles, just call it by another name!

Had we had roles, that would be less painful; but my opinion is that an account should be identified by user only, not by user+host. The ‘host’ part should just indicate the whitelist of machines from which the user is allowed to connect.

Host blacklist

Speaking of whitelist, it would be great to have a host blacklist. If I wanted to grant access to ‘gromit’@’192.168.%’ except for ‘192.168.10.%’ — well, I would have to whitelist all the possible subnets. I can’t exclude a set of hosts.

Catalogues

Another common construct not available in MySQL: a level above “schema” and below “server”. The need for catalogues is in particular obvious when you want to grant some user SELECT access to all your schemas. Ahem, excluding, of course, the mysql schema… If I could create a “user catalogue”, as opposed to “system catalogue”, then I would have been able to GRANT SELECT ON CATALOGUE user.* TO my_user@localhost, and this would apply to all databases in that catalogue.

Privileges auditing

I’ve spent the last week or so restricting privileges to all accounts. This is hard work, because you want to make sure you’re not revoking privileges which are required by the system (in which case I would either choose not to revoke, or create a new dedicated account with requested set of privileges). It would be so much fun if I could turn a flag on, like “SET GLOBAL audit_privileges := 1”, and have a ++counter for every time a privilege check is made per account.

I guess we could go on… On a brighter note, I’ve been using the audit plugin interface by writing a login audit plugin with very good results (= good auditing & important insights); the (simple) code will be released shortly as open source; I’ll write more on this at a later stage.

30 thoughts on “MySQL security top wish list

  1. @James & @Todd,

    Well done on moving things in security! I will humbly maintain my position that MySQL is at the moment still weak about security, without invalidating your hard & appreciated work (and I agree on dropping the “very little work done… part”). It’s a thing that has been neglected for years, I think there’s a lot yet to cover.
    Great that you are making progress: enforecement of (strong & strongly hashed) passwords is excellent. I will publicly cheer you up on further progress!

  2. Thanks. I agree that there’s still a lot to cover.

    More Todd and Joro’s area than mine, though I have some input on various aspects of it and always keep my eyes open for issues or opportunities. And I try to inform and clarify.

    One good question to ponder from time to time is:”how can we protect the uninformed or unlucky from attacks or issues by default, without also making life unduly hard?”

  3. In thinking about roles, I remembered that Workbench has some concept of “roles”. Although it’s managed outside the database rather than inside, I think it could prove useful for managing common permissions across many user accounts. In order to do so, though, WB needs to allow users to create custom “role” definitions:

    http://bugs.mysql.com/bug.php?id=70227

    If you think that would be useful to you, be sure to let the WB team know.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.