My scenario is hosting multiple domains (virtual hosts). The ejabberd doc says ...
"Important note about virtual hosting: if you define several domains in ejabberd.yml (see
section Host Names), you probably want that each virtual host uses a different
configuration of database, authentication and storage, so that usernames do not conflict
and mix between different virtual hosts."
I plan to host on AWS RDS, which means a lot of admin to onboard a new virtual host.
A simpler alternative would be for all virtual hosts to live in the same postgresql instance, but under individual schema names to create isolation within the db. Currently no schema is specified so tables are created under the default public schema.
Is this possible?
PS. I'm aware that the "new schema" supports multi-homing, but for the ease of admin I'd still prefer to keep each domain isolated.
Is this possible?
Well, your question is clear and specific. And the answer is, too: not possible, at least according to ejabberd documentation and implementation.
Related
as the title states I don't understand the relation between permission to access a db and the permission to write/read files on the underlying OS.
In one of my latest CTF's I had to obtain access to a database and then read files of the server containing the flag. I know this is only possible if the compromised user has the file privilege, but my question remains the same.
Sqlmap states in its features it can accomplish this:
Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
Now my specific questions:
What is the core feature/problem that allows this OS access?
Why are the permission connected?
Are other DBMS also vulnerable to this and is it a general problem (meaning sqlmap just doesn't provide the exploit for other dbms yet)?
In my eyes the permissions should be treated differently and the db user should not have permissions on the OS, except the files with relation to the DBMS.
Thanks in advance, I know the question is not limited to one aspect and contains various fundamental topics. I'm also willing to do more research, but maybe there is an answer that facilitates my learning process.
I am not sure about the others, but the below is true of MySQL and MariaDB.
You would need an additional exploit for local privilege escalation to gain access to any files the database user has no access to. The file path available for access is in the system variable secure_file_priv. Dumping/loading data from any other location will not be possible.
Additionally, executing commands is not possible without a UDF plugin that would allow you to execute arbitrary commands. Such things exist, but are not part of MySQL / MariaDB - it is something the sysadmin/DBA on the DB server would have to install themselves. Without this, you wouldn't be able to get the list of files.
Then there are the OS level protections:
1) POSIX level privileges
This is regular user/group file systems permissions.
2) Secondary hardening, e.g. SELinux or AppArmor
This will prevent the running process from accessing paths, ports and other resources that don't match the context or path defined in the security policy.
In short, you cannot access/retrieve arbitrary files through the database layer unless the server is deliberately (mis)configured in a way that would allow you to do so, and it would take active effort to configure a MySQL or MariaDB server in a way that would leave it open to this.
I have installed ejabberd on an AWS EC2 instance and am using the smack library to connect to it with my android app. At the moment the ejabberd server is using mnesia as the database, however I want to perform some complex queries on some of the data (mainly the MUC room names), as SQL will predominantly the best solution for this, I was wondering if it was possible to replicate the required data to an external MySQL database that I could then query.
Is this possible or am i better looking at a different approach to this problem?
There is no module built into ejabberd to replicate data in Mnesia to MySQL. However, the usual approach is to use the backend you need for each feature. If you want mod_muc to store data into MySQL instead of Mnesia, you can just change the backend to odbc (which means it will store data for that module in a relational database).
You can refer to ejabberd documentation for MUC module: http://docs.ejabberd.im/admin/guide/configuration/#modmuc
Once your MySQL is configured and schema is loaded, you can set db_type to odbc on a case by case basis to choose MySQL for that module.
In my company, there is an "all purpose" application which is central and that we want to use as our central diary for users accounts and authentication.
Every users and ACLs are declared in this DB (which is a MySQL DB) but we are now using more and more external application and would like to connect them to this DB for authentication purpose (mainly).
LDAP is quite common for this and is well integrated in many external applications so I was wondering if it would be possible to build an LDAP frontend on top of that DB so that accounts creation and ACLs can be done as it is currently and external applications can connect with a standard interface.
Is it possible ?
Can somebody point me to tutorials or informations about that kind of operation ?
Thanks.
OpenLDAP and OpenDS can be configured to use an SQL database as backend. A mapping can (at least in OpenLDAP) be defined between LDAP data and SQL data.
So, the remaining question seems to be: Can the mapping be defined so flexibly that it suits your existing database structure?
EDIT:
MyVD creates a Virtual Directory that you can feed with a database - and seems to be more light-weight.
How to allow multiple users in local network to share a single MySQL database? We even have option of share drive, if it will help.
we are using C# windows application as front end
The limitation is that we do not have acces to our main server. The server is with the other ofice department and we do not want to indulge that department in our project. So, we are on LAN and have a shared drive between us.
And we want to use this database common to multiple users in our office (aprox 100 users) which will use our C# windows application to view data and to enter data.
Can we do something on Share Drive? I am not sure..
Hope it will make some sense..
Thanx
MySQL handles this situation out-of-the-box. Each client connects from wherever and the DBM handles the details. Make sure the server is configured correctly and that the specific database allows connects from other than 127.0.0.1.
Whatever you do, do not use file sharing to try and run multiple copies of MySQL against a single database -- that way lies madness and tears. There are lock files that try to prevent this type of abuse, but I've acutally seen people try to "get around" this.
Here is an excellent guide for unix based servers :
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
the same passages are needed for a windows system, you need to enable remote access and eventually grant permissions on a defined IP.
Remote sharing of the database is disabled by default for security reasons.
EDIT:
if you are in the same network, then you may just grant permissions I.E.:
GRANT SELECT ON mydb.* TO devel2#192.168.1.102 identified by 'mypassword'
As long as they have network access to the server and you have at least MySQL 5 (5.0.2), can't you just create users for them?
CREATE USER 'new_username'#'localhost' IDENTIFIED BY 'password_for_new_username';
Is it possible to link to a MySql database that is on another server and hosted somewhere else entirely?
yes, just change the host configuration on your connection string
http://www.connectionstrings.com/mysql
Yes, you can connect to a remote server.
How to Enable Remote Access To MySQL Database Server
Yes - Check out connection strings http://www.connectionstrings.com/mysql
I have to recommend against it if you have a lot a data to transfer via the web, but within the network of company it works. In fact, in a common solution : you put the data on a dedicated server with performance/redundancy capabilites.
When you can connect to a local database you use a connection string such as 127.0.0.1:3306/somthing_something. With that in mind, you realise you can easily change this to another host.
Yes, as long as a path is provided to you to get "at" the MySql server. In other words, the person hosting the SQL server would have to ensure that a port is open on their firewall so that your application could talk to it.
yes, however, performance (bandwidth, latency) may be an issue depending on your specific requirements
Certainly. The most common production deployment has the database hosted on a seperate server. What might be interesting to you is the connection string that you application defines.
Yes, it is possible, but it is not wise solution, since your users will experience additional lags when your application will be connecting to some distant database.
It is possible if the hosted MySql server has a public IP you can access.
I've been trying this for days with a joomla site and can't get it to connect to a remote DB. The db is configured to be accessible from all hosts but given that joomla has a config file that specifies seperately the host, DB name, username and pass (you can't create a connection string manually) I'm not sure what other options I have to get this to work.
Did the orginal poster have success with this?
Definitely - and that is how my web host implements MySQL databases: As soon you create one it is created in a cluster of servers. Along with username&password pairs, and database name, they give you the server name.
Similarly, you can do it on your own LAN, or even over the Internet. I've done it over a LAN for testing. I would not recommend doing it over the Internet though due to very slow speed and an increase in security risk.