My sql Security

--0-913461555-1272443301=:1472
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,=0AI have some security issues. I would like to have your suggestion=
s/solutions. I have winserver2003 with mysql 5.1.45. We have client se=
rve application that allows multi-login system with various people. I =
am getting user name, password for database login when the try to use login=
[which is for Application]. By using DB the user name and the passwor=
d, people who know the mysql are opening the DB using some GUI tools. How t=
his can be avoided; because it is major issue right now in my work place.=
Please Can any one can help me? Thank you VIKRAM A =0A
--0-913461555-1272443301=:1472--

Re: My sql Security

--001636d34a9b57044e048547f7b2
Content-Type: text/plain; charset=ISO-8859-1

I'm afraid you can't discern between clients and applications on the MySQL
level. Your application authentication should be separate from the MySQL
one.


On Wed, Apr 28, 2010 at 10:28 AM, Vikram A wrote:

> Hi all,
> I have some security issues. I would like to have your
> suggestions/solutions.
>
> I have winserver2003 with mysql 5.1.45. We have client serve application
> that allows multi-login system with various people.
>
> I am getting user name, password for database login when the try to use
> login [which is for Application]. By using DB the user name and the
> password, people who know the mysql are opening the DB using some GUI tools.
> How this can be avoided; because it is major issue right now in my work
> place.
>
> Please Can any one can help me?
>
> Thank you
>
> VIKRAM A
>
>
>


--
Bier met grenadyn
Is als mosterd by den wyn
Sy die't drinkt, is eene kwezel
Hy die't drinkt, is ras een ezel

--001636d34a9b57044e048547f7b2--

Re: My sql Security

On Wed, 2010-04-28 at 13:58 +0530, Vikram A wrote:
> Hi all,
> I have some security issues. I would like to have your suggestions/solutions.
>
> I have winserver2003 with mysql 5.1.45. We have client serve application that allows multi-login system with various people.
>
> I am getting user name, password for database login when the try to use login

> [which is for Application]. By using DB the user name and the password, people who know the mysql

> are opening the DB using some GUI tools. How this can be avoided; because it is major issue right now in my work place.
>
> Please Can any one can help me?
>
> Thank you
>
> VIKRAM A
>
>

1.) Use MySQL connection limits to restrict the ways a client may impact
performance. In the longer term look to limit table access with stored
procedures or (when efficient) views.

2.) Restrict the database usernames/passwords by IP address and/or SSL
client certificates and restrict access to the authorised client
machines from the people causing a problem.

3.) If the clients and their credentials can't be restricted from the
problem group, use MySQL proxy or its equivalent to filter exactly which
queries may be applied so that only the actions already taken by the
application may be performed by people using it's login credentials.

4.) If the problem is being caused by people on the authorised clients
performing reasonable actions for those clients, then your problem can't
be solved techincally aside from by seperating the application
authentication credentails from the MySQL ones, or by scaling to allow
the clients usage levels.

Like Johan De Meersman I think the real problem you have is probably
that the application uses MySQL access credentials as enduser
credentials. Per-application user database users are unusual in my
industry. If you need per-user access right granularity in database
access it should still be disconnected from application login
credentials. I'd probably do:

field | application | mysql
=======================================================
username | current username | current username
password | current password stored as hash | unique password stored
encrypted by hash of (current password + salt)


In this way only an application working on the user's behalf to which
the user had submitted their password would be able to obtain their
unique database password but wouldn't need to store the plaintext
password in the user's session.

HTH

Nigel


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

Re: My sql Security

--0-135040109-1272454036=:52276
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Sir, We dropped the Idea of getting db user name and passwd during the=
login; because we have more than 1000 users and we can not give the user n=
ame and the password. We will set the connection details in the encry=
pted format in some config file. So that the user name, and the password wi=
ll not be given to user. Early, We planned to maintain the audit infor=
mation[who done the change, when it has done, what kind of change and so on=
], for this purpose only we have given individual user name and password.=
Now we will remove the DB login part. Any other way to avoid the DB c=
onnection from the other GUI/connecting tools though they have given a acce=
ss to db? Thank you for the information. Vikram=0A =
=0A________________________________=0AFrom: nwood =0ATo: Vi=
kram A =0ACc: MY SQL Mailing list com>=0ASent: Wed, 28 April, 2010 3:39:23 PM=0ASubject: Re: My sql Security=
On Wed, 2010-04-28 at 13:58 +0530, Vikram A wrote:=0A> Hi all,=0A> I =
have some security issues. I would like to have your suggestions/solutions.=
=0A> =0A> I have winserver2003 with mysql 5.1.45. We have client serve appl=
ication that allows multi-login system with various people.=0A> =0A> I am g=
etting user name, password for database login when the try to use login =
> [which is for Application]. By using DB the user name and the passw=
ord, people who know the mysql > are opening the DB using some GUI to=
ols. How this can be avoided; because it is major issue right now in my wor=
k place.=0A> =0A> Please Can any one can help me?=0A> =0A> Thank you=0A> =
=0A> VIKRAM A=0A> =0A> 1.) Use MySQL connection limits to restrict th=
e ways a client may impact=0Aperformance. In the longer term look to limit =
table access with stored=0Aprocedures or (when efficient) views. 2.) R=
estrict the database usernames/passwords by IP address and/or SSL=0Aclient =
certificates and restrict access to the authorised client=0Amachines from t=
he people causing a problem. 3.) If the clients and their credentials =
can't be restricted from the=0Aproblem group, use MySQL proxy or its equiva=
lent to filter exactly which=0Aqueries may be applied so that only the acti=
ons already taken by the=0Aapplication may be performed by people using it'=
s login credentials. 4.) If the problem is being caused by people on t=
he authorised clients=0Aperforming reasonable actions for those clients, th=
en your problem can't=0Abe solved techincally aside from by seperating the =
application=0Aauthentication credentails from the MySQL ones, or by scaling=
to allow=0Athe clients usage levels. Like Johan De Meersman I think t=
he real problem you have is probably=0Athat the application uses MySQL acce=
ss credentials as enduser=0Acredentials. Per-application user database user=
s are unusual in my=0Aindustry. If you need per-user access right granulari=
ty in database=0Aaccess it should still be disconnected from application lo=
gin=0Acredentials. I'd probably do: field | application =
| mysql ==================
==================== =====3D=
============= username | current username =
| current username=0Apassword | current password stored as ha=
sh | unique password stored=0Aencrypted by hash of (current password + sa=
lt) =0AIn this way only an application working on the user's behalf to=
which=0Athe user had submitted their password would be able to obtain thei=
r=0Aunique database password but wouldn't need to store the plaintext=0Apas=
sword in the user's session. HTH Nigel =0A-- =0AMySQL Gener=
al Mailing List=0AFor list archives: http://lists.mysql.com/mysql=0ATo unsu=
bscribe: http://lists.mysql.com/mysql?unsub=3Dvikkiatbipl@yahoo.in=0A =0A
--0-135040109-1272454036=:52276--

Re: My sql Security

--0016e6476de2e2c51904854e7551
Content-Type: text/plain; charset=ISO-8859-1

Rip out the DB authentication part, and store those credentials in-code, in
some config file or the registry, or some remote mechanism like LDAP.

If your users need to access multiple servers, just give them an option for
each server, but don't let them enter DB credentials themselves.

Users are not to be trusted with direct data access; they're way too devious
for their own good :-)

On Wed, Apr 28, 2010 at 11:05 AM, Vikram A wrote:

> Sir,
> Yes; As per your mail, i understood that the authentication must be
> separated for both app and the db.
> Let me send my login Authentication screen; I request you guide me how can
> handle this.
>
> Thank you
>
> Vikram
>
> ------------------------------
> *From:* Johan De Meersman
>
> *To:* Vikram A
> *Cc:* MY SQL Mailing list
> *Sent:* Wed, 28 April, 2010 2:10:45 PM
>
> *Subject:* Re: My sql Security
>
> I'm afraid you can't discern between clients and applications on the MySQL
> level. Your application authentication should be separate from the MySQL
> one.
>
>
> On Wed, Apr 28, 2010 at 10:28 AM, Vikram A wrote:
>
> > Hi all,
> > I have some security issues. I would like to have your
> > suggestions/solutions.
> >
> > I have winserver2003 with mysql 5.1.45. We have client serve application
> > that allows multi-login system with various people.
> >
> > I am getting user name, password for database login when the try to use
> > login [which is for Application]. By using DB the user name and the
> > password, people who know the mysql are opening the DB using some GUI
> tools.
> > How this can be avoided; because it is major issue right now in my work
> > place.
> >
> > Please Can any one can help me?
> >
> > Thank you
> >
> > VIKRAM A
> >
> >
> >
>
>
> --
> Bier met grenadyn
> Is als mosterd by den wyn
> Sy die't drinkt, is eene kwezel
> Hy die't drinkt, is ras een ezel
>
>


--
Bier met grenadyn
Is als mosterd by den wyn
Sy die't drinkt, is eene kwezel
Hy die't drinkt, is ras een ezel

--0016e6476de2e2c51904854e7551--

Re: My sql Security

--0-1880665329-1272475192=:37754
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Sir,=0AI will drop the authentication part. If stored in the code, the db =
password is subject to change when needed. In this case i can not change my=
part of the code. So I will go for the config file for the credentials.=0A=
=0AThank you for the solutions/suggestions. Vikram =0A_____=
___________________________=0AFrom: Johan De Meersman =
=0ATo: Vikram A =0ACc: MY SQL Mailing list ts.mysql.com>=0ASent: Wed, 28 April, 2010 9:55:38 PM=0ASubject: Re: My sql =
Security Rip out the DB authentication part, and store those credentia=
ls in-code, in=0Asome config file or the registry, or some remote mechanism=
like LDAP. If your users need to access multiple servers, just give t=
hem an option for=0Aeach server, but don't let them enter DB credentials th=
emselves. Users are not to be trusted with direct data access; they're=
way too devious=0Afor their own good :-) On Wed, Apr 28, 2010 at 11:0=
5 AM, Vikram A wrote: > Sir,=0A> Yes; As per yo=
ur mail, i understood that the authentication must be=0A> separated for bot=
h app and the db.=0A> Let me send my login Authentication screen; I request=
you guide me how can=0A> handle this.=0A>=0A> Thank you=0A>=0A> Vikram=0A>=
=0A> ------------------------------=0A> *From:* Johan De Meersman @tuxera.be>=0A>=0A> *To:* Vikram A =0A> *Cc:* MY SQL =
Mailing list =0A> *Sent:* Wed, 28 April, 2010 2:10:4=
5 PM=0A>=0A> *Subject:* Re: My sql Security=0A>=0A> I'm afraid you can't di=
scern between clients and applications on the MySQL=0A> level. Your applica=
tion authentication should be separate from the MySQL=0A> one.=0A>=0A>=0A> =
On Wed, Apr 28, 2010 at 10:28 AM, Vikram A wrote:=0A=
>=0A> > Hi all,=0A> > I have some security issues. I would like to have you=
r=0A> > suggestions/solutions.=0A> >=0A> > I have winserver2003 with mysql =
5.1.45. We have client serve application=0A> > that allows multi-login syst=
em with various people.=0A> >=0A> > I am getting user name, password for da=
tabase login when the try to use=0A> > login [which is for Application=
]. By using DB the user name and the=0A> > password, people who know the my=
sql are opening the DB using some GUI=0A> tools.=0A> > How this can be avoi=
ded; because it is major issue right now in my work=0A> > place.=0A> >=0A> =
> Please Can any one can help me?=0A> >=0A> > Thank you=0A> >=0A> > VIKRAM =
A=0A> >=0A> >=0A> >=0A>=0A>=0A> --=0A> Bier met grenadyn=0A> Is als mosterd=
by den wyn=0A> Sy die't drinkt, is eene kwezel=0A> Hy die't drinkt, is ras=
een ezel=0A>=0A> =0A-- =0ABier met grenadyn=0AIs als mosterd by den w=
yn=0ASy die't drinkt, is eene kwezel=0AHy die't drinkt, is ras een ezel=0A=

--0-1880665329-1272475192=:37754--