I want one of my Linux users to be able to see the size of table files in /var/lib/mysql/[db]/..., but these dirs are owned by mysql:mysql and everyone does not have read access. Is it safe to add a normal user to the mysql group?
All things about security that I learned is about give access Only if it's absolutely necessary. Said that, you can think convenient to give them only read permissions, and for that, create new roles:
MySQL - How to grant read only permissions to a user?
And if the users need to read the file (only the system file), you'll be opening the archives for their by making a specific group with the right permissions. And yes, is convenient, less secure, but resolve your problem.
Related
Just looking for some advise on how I could store if a user has permissions to do a certain task.
The way the project is laid out is there are lots of "section" and then there are multiple permissions associated within that section.
For example
Management section permissions
can delete
can add
can move
Creation section permissions
can create
can createbigger
can createbest
Each user can have any of these permissions and does not require the previous permission in order to have it
Probably not the best example but I cant think of anything
I was thinking of having a system using intergers kinda like linux's permission system but was wondering what other people would recommend sorry if my question is not very clear.
Thanks!
Forgot to mention I indtend of storing the permissions in a database!
Suppose you're writing a simple database web application using Ruby and MySQL. Access to the database is controlled by Ruby code. The user name that the Ruby code uses to access the data is the only regular user on the database. Does it make sense for that user to be "root"? Or is there any extra security in creating a second user just for the application?
Simple, consider the root as the main user, who can do everything (by default).
If he wants to dump the whole database, he can, if he wants to create some data to create (for example) fake account to overpass your bank system, he can.
So if your code is not enough secure (and this is quite often usually), you have strong security issue.
Usually, "a basic" security (really basic), should looks like that :
create a simple user, give him (with GRANTS) the right to SELECT, INSERT, UPDATE and DELETE on a specific database.
create another user who can SELECT and lock tables and SHOW VIEWS to perform dump (database save).
On a more "complex" system, you should create many users, depending of what they should access, this is for simple reason : if somebody got a SQL injection access, if the user can only access to a single view (for example), and not the whole database, this is a security issue but not the baddest one...
Also view are often used for that...
And finally don't forget triggers if you want (for example a log table), to disable insert or update or delete on a table, for everybody (except somebody who can destroy trigger of course) :
Use a trigger to stop an insert or update
Besides editing or deleting all data in your database, the root user also have the FILE privilege which gives access to:
LOAD DATA INFILE which can be used to read any file on the server machine.
LOAD DATA LOCAL INFILE which can read files on the client machine (the web server machine).
SELECT ... INTO OUTFILE which can create files on the server machine.
This is why your application should have only the privileges it needs, and this is also the reason your MySQL server daemon should be run as a non-privileged user on the server machine.
See also General Security Issues in the manual.
If everybody/thing is root, you lose auditability, you lose the ability to restrict the app to stop attacks (i.e. your app doesn't need this segment of sensitive information, seal it away from its user). If somebody compromises the app, you can suspend the account etc.
I would not make a user "root".
I'd create a separate username and password just for that application and GRANT it only the permissions required to do its job.
I would create a new user, giving it only the permissions it needs (SELECT, UPDATE, INSERT and DELETE usually do the trick). Like that, you limit the ability for the code to be manipulated in an unintended way.
"root", or generally speaking, users with Super User privileges, can change passwords, delete accounts, and therefore prevent you from accessing your own database.
If you server hosts only one application, then you may not need to create several lesser privileged accounts. However, it is common practice to create at least one user for each application, so that if one application gets compromised, other applications (and underlying data) may not be.
Greeting Everyone
I have a linux box for hosting websites
I wanted to secure some tables from writing and modifying while the others is open for writing
so I came out with an idea to chmod some tables (MYD,MYI,frm) files in /var/lib/mysql/DATABASE
I need to ask if I can do so without breaking mysql database
and which permission I have to add to it?
thanks
As mentioned in my comment, you should use MySQL user accounts for such purpose. You can read more about user accounts at MySQL documentation, however I personally prefer GUI tools for this purpose. My personal favorite is SQLYog which lets you easily define per-table access level for a particular user (and more), especially if you're not familiar with MySQL command line.
The datasource used by my web application connects using the ROOT user. The ROOT user has all privileges assigned.
My concerns are:
1) Should I be using this user (and is it ok / secure) or should I create another user with a more restricted set of rights
2) If I do use another user, how do I cater for all my procs that begin with:
CREATE DEFINER=`root`#`%` PROCEDURE `Blah`()
3) Is it a bad idea removing privileges from the ROOT user. For example, if I remove the "DROP" privilege, will I still be able to DROP objects when logging in via the Admin or Query Browser. MY guess would be no and that I shouldn't mess with the privileges.
Any documentation / links / info regarding this would be appreciated. Thanks
You should absolutely use a restricted user to access the database as much as possible.
There are privileges that allow your users to access procedures. I'm not that familiar with it but here's the official documentation: http://dev.mysql.com/doc/refman/5.0/en/create-procedure.html
Don't mess with root's privileges :)
No, your application should not connect using the root user. You should create and configure a user that has the permissions required by the application and no more.
I usually go with at least three users:
Root can do everything; changing root's permissions is a recipe for disaster (unless you know exactly what you are doing)
The application has its own user, and this user has very restrictive permissions - usually just SELECT, UPDATE, INSERT, DELETE on the tables it needs. In any case, no permissions that would allow schema modifications (CREATE / ALTER TABLE and such).
A special user which can access the application's database, but nothing else. This user is used for maintenance tasks such as schema upgrades, but not for the application itself.
It's a bad idea to use the root user for any task. You can see it like the system-user: only the system should use it, when it needs it, to do everything.
Create a new user and give it only access and priviledges to do what it should do. This is called the principle of least privilege.
In this case, procedures are part of what a certain user, module or part of a program should do in normal circumstances. Hence, the user you create owns (DEFINER) that procedure. You should remove the procedure from the root user and add it to your newly created user. If it's impossible to remove from the root user: then so be it! However:
If a user want to access the procedure, give (GRANT) them access to it. In the case the root user still owns the procedure, any other user still can be granted to use the procedure.
The root user is, as I already mentioned, the system user. If you drop priviledges then any program or user using the root can't do what is expected (being the system-user capable of doing everything), and this cripples your system.
Think about this: how would you add a new database, if you dropped the "ADD DATABASE" privilege from the root user?
I maintain an ms-access application splitted to frontend and backend files.
The frontend file is in the users conputers.
The backend file is in a shared folder in the server.
What is the lowest permissions required?
can I give some of the users only read-only permissions in that folder? (or hide it from them in some other way) but still enable them to view the data?
How should I give the best security to the data file and to the folder containing it?
Unfortunately, the lock file (ldb) must be created, updated and deleted. If a user with insufficient permissions opens the database, it will be locked for all other users, therefore all your users need Read/Write/Delete permissions on the back-end.
EDIT #1
The lock file must be created every time the database is opened, this includes via linked tables, and deleted when the database is closed. If a lock file exits and the database is closed, it indicates a problem has occurred. You will also run into problems with compact and repair if it is run with insufficient permissions.
Edit #2
Security for Access is quite a large subject and depends to a great extent on your environment and requirements, for the back-end, it ranges from a database password, which is tissue thin, but quite suitable for most offices, to Access security, which can be complicated and has been dropped in 2007. Here is a link http://support.microsoft.com/kb/207793 for a download for the Microsoft Access Security FAQ for versions < 2007.
Information on security for 2007 can be found here http://www.microsoft.com/technet/security/guidance/clientsecurity/2007office/default.mspx.
Many have suggested that you must give FULL permissions to users, but this is not true. You need only give them MODIFY permissions -- you can deny them DELETE permission, which is a good idea, as it prohibits the users from "accidentally" deleting your data file.
It is true that for a user with DELETE permissions, the LDB file will be deleted on exit when that user is the last user exiting the database. But it is not required that the LDB file be deleted -- indeed, in Access 2 and before, the LDB files were not deleted on exit, but just left there hanging around. This generally has no downside, but occasionally the LDB file gets corrupted and causes problems and really does need to be deleted and recreated afresh.
What I do is have two classes of database users (as defined in custom NT security groups specific to my Access application(s)) -- DBAdmins and everyone else. The DBAdmins have FULL permissions, everybody else only CHANGE. The result is that any time a DBAdmin exits as the final user, the LDB is deleted. This setup works really well, and I've been using it for well over a decade.
Using a hidden share for your back end is really only "security by obscurity," and not really worth the effort. Sophisticated users can figure it out through any number of methods (depending on how you've locked down your front end):
view the MSysObjects table and find
the CONNECT string for the tables,
which will identify the hidden
share.
examine the results of
CurrentDB.TableDefs("name of linked
table").Connect in the immediate window in
the VBE
Now, if you've properly secured your app using Jet user-level security (and it's very easy to think you've secured your database and find out that there are holes, simply because it's really easy to forget some of the crucial steps in the process), they won't be able to do this, but even if you have, Jet ULS security is crackable (it's pretty easy to Google it and find cracking software), so is not really something you should depend on 100%.
Yes - it resolves down to file access permissions as well as read/write. You can't execute any type of data update stuff (you'll get "operation requires an updateable query") unless the user supplies credentials that allow them to write, or you allow write on the file.
Running a query requires only read access.