Security Request: Allow user to change own password

Security Request: Allow user to change own password

am 24.03.2003 22:10:27 von Shawn

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I want to allow a user to change their own password, without having any oth=
er=20
privileges in the mysql database.

It was suggested to use middleware to manage passwords and have a single=20
database account. This defeats the purpose of letting MySQL manage the user=
s=20
and permissions. The middleware could be hacked and I'd rather a user only=
=20
have their password available in the middleware than a global password.

The only thing an end user should be able to update is their password.=20
Granting update privileges to a user on the mysql.user table would be just =
as=20
bad or worse than the above scenerio.

In a generic way this would be a row level privilege addition, but that see=
ms=20
overly broad. Really just a way to restrict a user to changing only their=20
password is needed for broader security.

Shawn Garbett
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iEYEARECAAYFAj5/dEMACgkQDtpPjAQxZ6CqzwCfeAWUUuK2Jmbjaak7r37q bO31
0A4AnA7jysAt+TRzJczzgEoxYHUb52W0
=3DUs3S
=2D----END PGP SIGNATURE-----


--
MySQL Bugs Mailing List
For list archives: http://lists.mysql.com/bugs
To unsubscribe: http://lists.mysql.com/bugs?unsub=3Dgcdmb-bugs@m.gmane.org

Re: Security Request: Allow user to change own password

am 25.03.2003 13:06:46 von Sinisa Milivojevic

Shawn P. Garbett writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I want to allow a user to change their own password, without having any other
> privileges in the mysql database.
>
> It was suggested to use middleware to manage passwords and have a single
> database account. This defeats the purpose of letting MySQL manage the users
> and permissions. The middleware could be hacked and I'd rather a user only
> have their password available in the middleware than a global password.
>
> The only thing an end user should be able to update is their password.
> Granting update privileges to a user on the mysql.user table would be just as
> bad or worse than the above scenerio.
>
> In a generic way this would be a row level privilege addition, but that seems
> overly broad. Really just a way to restrict a user to changing only their
> password is needed for broader security.
>
> Shawn Garbett

Hi!

This feature exists for quite a long time. When logged as user:

SET PASSWORD="password"


Please do note that this list is dedicated to bugs with fully
repeatable test cases.

For questions, feature requests and similar, please write to
mysql@lists.mysql.com.


--
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Sinisa Milivojevic
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Fulltime Developer
/_/ /_/\_, /___/\___\_\___/ Larnaca, Cyprus
<___/ www.mysql.com



--
MySQL Bugs Mailing List
For list archives: http://lists.mysql.com/bugs
To unsubscribe: http://lists.mysql.com/bugs?unsub=gcdmb-bugs@m.gmane.org