Enhancement Suggestion for Security.
Enhancement Suggestion for Security.
am 05.03.2003 07:36:00 von Prashant
Hello,
I am Prashant Gupta from HP, working on the ServiceGuard (Clustering product
of HP).
We have come across a Security issue which working on a scripts for starting
& stopping the MySQL Database.
This is NOT a Bug, but a possible enhancement request. But, it does give
rise to security problem.
For starting & stopping the MySQL database, DB Admin user password is
required (assuming password is set for admin user). MySQL tools asks for the
password while trying to start/stop the database. But, providing Admin user
password in ASCII form in any file (Scripts) will jeopardize security. Also,
each time the Admin user changes its password, this scripts will have to be
Updated.
Also, if password is provided through the command line then any commands
like "ps -ef" will show the password to other users on the system. This is
another security problem.
Taking example of Oracle: We can login to the "oracle" user from the "root"
login (using "su - oracle" ) & start/stop the database. That is to say that
the "oracle" user is not again validated at the time of starting & stopping
the database.
Currently we are using MySQL Version mentioned below on Linux 7.3 platform.
+-----------+
| version() |
+-----------+
| 3.23.36 |
+-----------+
Please do let me know if this has been already implemented in any later
version of MySQL.
Thanks & Regards,
Prashant Kumar Gupta,
Senior Software Engg.
Ph: +91-80-2051230
------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail bugs-thread13902@lists.mysql.com
To unsubscribe, e-mail
Re: Enhancement Suggestion for Security.
am 05.03.2003 08:21:06 von Peter Zaitsev
On Wed, 2003-03-05 at 09:36, Prashant wrote:
> Hello,
>
> I am Prashant Gupta from HP, working on the ServiceGuard (Clustering product
> of HP).
> We have come across a Security issue which working on a scripts for starting
> & stopping the MySQL Database.
>
> This is NOT a Bug, but a possible enhancement request. But, it does give
> rise to security problem.
>
> For starting & stopping the MySQL database, DB Admin user password is
> required (assuming password is set for admin user). MySQL tools asks for the
> password while trying to start/stop the database. But, providing Admin user
> password in ASCII form in any file (Scripts) will jeopardize security. Also,
> each time the Admin user changes its password, this scripts will have to be
> Updated.
Dear Parashat,
Actually root password is not needed for starting and stopping database.
Please take a look how mysql.server included in distribution works for
details.
In short I do not understand in which case you can get MySQL to ask
password at startup. The trick with shutdown is - you shall send TERM
signal to mysqld (pid file contains the pid) instead of using mysqladmin
shutdown which is intended for unprivileged user usage and requires
password to perform shutdown action.
>
> Also, if password is provided through the command line then any commands
> like "ps -ef" will show the password to other users on the system. This is
> another security problem.
Have you seen MySQL displaying password in ps -ef ?
The normal behaviour would be to display:
pz 1816 1238 0 10:15 pts/3 00:00:00 mysql -u root -px xxxxxx
As you might see password is not displayed.
>
> Taking example of Oracle: We can login to the "oracle" user from the "root"
> login (using "su - oracle" ) & start/stop the database. That is to say that
> the "oracle" user is not again validated at the time of starting & stopping
> the database.
As I wrote before - you do not need to provide password to start/stop
MySQL.
>
> Currently we are using MySQL Version mentioned below on Linux 7.3 platform.
>
> +-----------+
> | version() |
> +-----------+
> | 3.23.36 |
> +-----------+
This is very old MySQL version. We would really recommend you to upgrade
to MySQL 3.23.55 which has a lot of issues fixed, including some
security related.
In case you're just developing your product yet, using MySQL 4.0 is
recommended as it will be likely released as stable in a few weeks.
Please let me know if you still have problems,
also note bugs@lists.mysql.com is intended only for repeatable bug
report. For such sort of messages mysql@lists.mysql.com shall be used
instead.
--
MySQL 2003 Users Conf. -> http://www.mysql.com/events/uc2003/
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Peter Zaitsev
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Moscow, Russia
<___/ www.mysql.com
------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail bugs-thread13903@lists.mysql.com
To unsubscribe, e-mail
RE: Enhancement Suggestion for Security.
am 05.03.2003 13:51:28 von Prashant
Hi Peter,
Thanks a lot for the valuable information. We have implemented the way
suggested by you.
Also, is there a helpdesk kind of forum where we can post our questions in
future?
Thanks & Regards,
Prashant Kumar Gupta,
HA Team, HP-India.
-----Original Message-----
From: Peter Zaitsev [mailto:peter@mysql.com]
Sent: Wednesday, March 05, 2003 12:51 PM
To: pkgupta@india.hp.com
Cc: bugs@lists.mysql.com; KUMARASAMY,ELANGO (HP-India,ex2);
shylu@india.hp.com
Subject: Re: Enhancement Suggestion for Security.
On Wed, 2003-03-05 at 09:36, Prashant wrote:
> Hello,
>
> I am Prashant Gupta from HP, working on the ServiceGuard (Clustering
product
> of HP).
> We have come across a Security issue which working on a scripts for
starting
> & stopping the MySQL Database.
>
> This is NOT a Bug, but a possible enhancement request. But, it does give
> rise to security problem.
>
> For starting & stopping the MySQL database, DB Admin user password is
> required (assuming password is set for admin user). MySQL tools asks for
the
> password while trying to start/stop the database. But, providing Admin
user
> password in ASCII form in any file (Scripts) will jeopardize security.
Also,
> each time the Admin user changes its password, this scripts will have to
be
> Updated.
Dear Parashat,
Actually root password is not needed for starting and stopping database.
Please take a look how mysql.server included in distribution works for
details.
In short I do not understand in which case you can get MySQL to ask
password at startup. The trick with shutdown is - you shall send TERM
signal to mysqld (pid file contains the pid) instead of using mysqladmin
shutdown which is intended for unprivileged user usage and requires
password to perform shutdown action.
>
> Also, if password is provided through the command line then any commands
> like "ps -ef" will show the password to other users on the system. This is
> another security problem.
Have you seen MySQL displaying password in ps -ef ?
The normal behaviour would be to display:
pz 1816 1238 0 10:15 pts/3 00:00:00 mysql -u root -px xxxxxx
As you might see password is not displayed.
>
> Taking example of Oracle: We can login to the "oracle" user from the
"root"
> login (using "su - oracle" ) & start/stop the database. That is to say
that
> the "oracle" user is not again validated at the time of starting &
stopping
> the database.
As I wrote before - you do not need to provide password to start/stop
MySQL.
>
> Currently we are using MySQL Version mentioned below on Linux 7.3
platform.
>
> +-----------+
> | version() |
> +-----------+
> | 3.23.36 |
> +-----------+
This is very old MySQL version. We would really recommend you to upgrade
to MySQL 3.23.55 which has a lot of issues fixed, including some
security related.
In case you're just developing your product yet, using MySQL 4.0 is
recommended as it will be likely released as stable in a few weeks.
Please let me know if you still have problems,
also note bugs@lists.mysql.com is intended only for repeatable bug
report. For such sort of messages mysql@lists.mysql.com shall be used
instead.
--
MySQL 2003 Users Conf. -> http://www.mysql.com/events/uc2003/
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Peter Zaitsev
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Moscow, Russia
<___/ www.mysql.com
------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail bugs-thread13906@lists.mysql.com
To unsubscribe, e-mail
RE: Enhancement Suggestion for Security.
am 19.03.2003 20:31:32 von Peter Zaitsev
On Wed, 2003-03-05 at 15:51, Prashant wrote:
> Hi Peter,
>
> Thanks a lot for the valuable information. We have implemented the way
> suggested by you.
>
> Also, is there a helpdesk kind of forum where we can post our questions in
> future?
>
The best way to get answers to your question is MySQL commercial
Support. It will provide you with guarantied replies directly from
MySQL developers. See http://www.mysql.com/support/
for details.
Alternatively there is mysql@mysql.lists.mysql.com mailing list
handled by MySQL community where you can ask your questions.
--
MySQL 2003 Users Conf. -> http://www.mysql.com/events/uc2003/
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Peter Zaitsev
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Moscow, Russia
<___/ www.mysql.com
------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail bugs-thread13996@lists.mysql.com
To unsubscribe, e-mail