I accessed .idb file from data store of mysql,even if database is password protected.
So if we can access Mysql database using .idb and .frm file without password then whats the use of database password??
it is important to consider that if you have physical access to the file system then all bets are off. there will always be some piece of 3rd party software etc that will unscramble some database file.
the point of a mysql password is to allow access through the allowed pathways to the MYSQL server.
to put that in context, a normal user or administrator of a website that is powered by php and mysql would never see or have access to the physical database files. The password level access set up in PHP and MySQL would only allow the application (php) to access what is required.
Securing the database files themselves should be done at the operating system level, granting the level of user access you require.
Related
my question is whether the password-protected server and database can be protected from copying so that my malicious customers to bypass security settings.
MySQL server has:
user -> 'root' with password with disable global privilege
user -> 'javaAPP' with password with limited privilege only for working database and disable disable global privilege
user -> 'superadmin' with global privilege
When try comand mysqdump requires password and allows action only for user 'superadmin'.
When copy folder '\data' with exist working database folder and every files to other computer all user settings permissions and passwords are transferred to the new server. So it's look ok.
When copy only database folder '\data\javaAPPdatabase' to other computer ... i see the tables empty .. no fields. I guess this is due to missing user rules.
So ... more what I need to do to protect unauthorized access to the database ?
I am trying to protect my java application through the database
Please help me!?
MySQL server is located in client network on client PC.
I recognize my knowledge in mysql is reduced to working functions, triggers and procedures.
MySQL server is located in client network on client PC.
Then it's theirs. They have complete access to it. There's no way to prevent them from reading all the data anytime they want.
Even if you restrict access with passwords, they can restart the MySQL service with the skip-grant-tables option enabled, so passwords are not enforced (see https://dev.mysql.com/doc/refman/5.7/en/resetting-permissions.html).
The only way you can limit access to the data is NOT to install the database at the client site. Host the data yourself, and provide an API to access it through a web service you host.
So we got an old program, from about 2006-2007.
that program uses a very large database.
the database is separated into 3 files:
(file extensions were renamed.)
1 of 1,061,758,976 bytes
1 of 1,062,225,920 bytes
and 1 of 423,604,224 bytes
(total about 2.4 GB).
what we want to do is get rid of that program and write our own, using the same database.
the only problem is that we don't know anything about those files. Rumors says that those files are access files - but we don't know how to confirm that.
also, the goal is to put this whole database into a mySQL database - which is another challenge.
Summarizing:
Determine database type
Converting to mySQL.
Any help will be much appreciated.
EDIT: File header:
Determine database type
The screenshot cited in the comments to the question indicate that the file is an Access .mdb database file. Access database files contain the following 15-character strings starting at byte offset 4:
Standard Jet DB ...for an .mdb file
Standard ACE DB ...for an .accdb file
Converting to mySQL.
The most straightforward way would be to install the MySQL ODBC driver, create an ODBC DSN to the target MySQL server, then open the .mdb file in Access and export the tables to MySQL via ODBC.
Exporting Access Data to MySQL
edit re: "You do not have the necessary permissions..." error
It appears that the database file was encrypted using the "User-Level Security" feature that Access offered for older .mdb files. If so, then to open the file you will need:
The associated Workgroup Security file (often called "Security.mdw", but may have a different name)
Login credentials (username and password) for a user that was created in that Workgroup file.
If you have both of those prerequisites then you should be able to open the file using something like the following from the command-line:
MSACCESS.EXE "C:\Users\Public\uls\db1.mdb" /WRKGRP "C:\Users\Public\uls\Security.mdw"
Search around to see if you can find the associated .mdw file (possibly renamed). Note that if if you find a file named System.mdw under %SystemRoot% or %APPDATA% it may not be the one you need. (Access creates a default Workgroup file for normal unprotected databases.) The file you are looking for should have a similar 15-character string starting at byte offset 4:
Jet System DB ...for an .mdw file (note that there are two trailing spaces to make 15 characters)
I want to use MySQLDump to backup the db on a weekly basis using a cron job.
I don't want to hardcode the credentials in the shell script.
The MySQL db version is 5.1, so mysql-config-editor is not available.
I am aware of the options file, which I can secure using linux file permissions of 600.
Is there a way to encrypt the credentials and make them unreadable?
Is there a way to encrypt the credentials and make them unreadable?
Ask yourself who do you want to protect the file from and why is encryption going to help besides normal file permissions.
If you are going to encrypt the file containing the password, you have to make sure that the legitimate backup process has access to the encryption keys so it can read the password from the file. Then you have to make sure all the other processes don't have access to those keys.
Since this further complicates things, this increases the risk on a leak without adding much security on top of the basic file system security model. So I would recommend to stick with the right ownership and file permissions on the .my.cnf file.
Further reading: http://benlog.com/articles/2012/04/30/encryption-is-not-gravy/
I personally run mysqldump daily as root via cron. In order to break this an attacker needs to break basic file system privileges before it can access /root/.my.cnf (mode is 600 and owned by root). If an attacker is able to do that, he probably can directly access the database files as well so an encrypted password file wouldn't have helped here.
You can also setup a dedicated system user for the sole purpose of running mysqldump as long as the mode on ~/.my.cnf is 600 and the ownership is set to that system user.
ps. this is the mysql backup script I run daily on my machines:
https://gist.github.com/timkuijsten/6067107
The latest version of MySQL 5.6 Addresses this problem.
You can now encrypt the password for a command line login using mysql_config_editor
I own a machine running third party software. I input data into this software and it stores that data into its own mysql database. I'd like query the mysql database directly, but I don't know the credentials that the application is using.
I have read and write access for all files in the machine, including the files in the mysql data directory. Theoretically, I should be able to read the data directly from these files (.ibd and .frm files). But practically, I don't know where to start. I'm thinking that these data files are somewhat readable since encrypting them would destroy their index-ability.
Is this feasible? Or would I have to reverse engineer the data file format in order to read it?
Or even better - is there some config file that I can change which would implicitly trust all local connections similar to postgres?
You could read the mysql files directly, but even if they're now encrypted, the columns names might be weird and you could have to spend some time reading them.
Another point could be looking for config files from that software, that could have the login/password (very very low probability, but who knows?)
And the best would be:
make a backup of the mysql files
in another mysql instalation / computer (to not break your software), follow the reset mysql password guide
Try accessing it via the command line on the local machine:
shell> mysql db_name
(from MySQL documentation)
From here, you can create yourself an account if you need to connect from other client software.
Or have you already tried that?
If you have root access to the machine that MySQL is running on, then you can reset the MySQL root password by following the procedure at: http://www.cyberciti.biz/tips/recover-mysql-root-password.html. Once you've reset the root password, you can then login to MySQL as the root MySQL user, and access any of the databases, and query them. The only caveat to keep in mind is that changing the MySQL root password could potentially prevent your application from accessing the MySQL database, but that would be surprising as the application should be designed to connect to the database using a MySQL user account (with limited privileges) other than the root MySQL user.
Is it possible for Mysql to encrypt its stored files (database scheme & data on disk) in a way that someone not be able to copy these files to another machine that and read them using his own installed Mysql root user?
if not is there a DBMS that be able to protect database stored files on disk by encryption?
Unfortunately, MySQL doesn't support data file encryption natively.
However, there are 3rd products out there like:
http://www.vormetric.com/products/vormetric_database_encryption_expert.html
To be honest, if the database content has any commercial value or contains personal data about individuals, you should really control who has access to the datafiles (whether encrypted or not).
To use the windows EFS encryption:
http://windows.microsoft.com/en-us/windows/encrypt-decrypt-folder-file#1TC=windows-7
Read more obout it:
http://www.petri.co.il/how_does_efs_work.htm#
!!! Don't forget to export the certificate !!!
If you are using windows EFS and starting MySQL as a service, you will need to do the following:
go to Services and find the MySQL service
stop the service
right-click -> properties -> LogON TAB
check "This account"
fill your windows account name eg. ".\username"
provide your password
start the service
The MySQL service should now start without errors.