[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [kDev] MySQL security...
On Tue, 2 Jul 2002 15:50:27 +0100 (BST)
"Daniel Harris" <daniel@xxxxxxxxxxxxx> wrote:
> Hi All,
>
> Yup, survived Glasto. Now Steve raises good security point about MySQL:
>
> Kennedy, Steve said:
> > Err, looking at the source php code, I hope your mysql server is
> > protected from the outside world, the passwords are in the source !!!!
> >
> > Steve
>
> Anybody care to see if you can get into the database from the outside
> world using user/pass from source code. Please don't trash anything tho'.
> If it's not safe what do I need to do?
Roughly speaking, the following should do it:
Put an entry in the user table for the relevant user/pass combination, with
all the privilege columns set to "N", add ones into the db table for each
database that user needs to access, but with "Y" for all the (relevant)
privilege columns. And in both cases, set the host column accordingly, eg.
to '%.kendra.org.uk', 'localhost'... You may need to add multiple copies of
the above for each host name variant. Then do a "flush privileges" at the
mysql command line, or restart the whole mysql server.
Alternatively, you could just firewall off port 3306 for tcp and udp from
the outside world(using ipchains/iptables, assuming linux is the OS).
If you want (as is only sensible) a multi-layered security architecture, do
both.
Oh, and of course that assumes that the only mysql work that will be done on
the server is coming from the local host, and not people using a remote
mysql client. Otherwise things get more complex.
K.
--
Kev Green, aka Kyrian. Email: kyrian@xxxxxxx Web: http://kyrian.ore.org/
[ Looking for ISP contract work, CV at http://kyrian.ore.org/cv.html ]
"Be excellent to each other" -- Bill & Ted.