This seems to get a +1 for backporting by at least Honza (RH), so I am wondering if we do this in the 5.5 branch too, that is shipping in many distributions. Begin forwarded message:
From: "Norvald H. Ryeng" <norvald.ryeng@oracle.com> Subject: [debian-mysql] Backporting the mysql_no_login plugin Date: 24 October 2014 15:49:34 GMT+8 To: "pkg-mysql-maint@lists.alioth.debian.org" <pkg-mysql-maint@lists.alioth.debian.org>, "Honza Horak" <hhorak@redhat.com>, "Roman Drahtmueller" <draht@suse.de>
Hi package maintainers,
We have a new plugin in MySQL 5.7 that makes it possible to have accounts that can't log in:
CREATE USER foo@localhost IDENTIFIED WITH 'mysql_no_login';
The mysql_no_login plugin simply denies all login attempts. This is useful for users that are created, e.g., to serve as proxy users, or as owners of stored programs/functions, views or events.
This new plugin doesn't fix known security defects in the server, but does provide new and better means to harden security. Best practices for security include application of least-required privileges, and in some cases, that means no client connections for privileged accounts. This new plugin provides means to implement such restrictions in a standard way.
Because of the security benefits, we'd like to discuss backporting it to 5.6. Like you, we don't like big changes to GA releases, but this time we think it has a good use case, it's safe and has a very low risk of regressions:
- Since this is a plugin, it doesn't touch server code - All new code is in a plugin that must be enabled explicitly by the DBA - The code itself is very simple. It's only one line of "real" code (unconditionally return authentication failure), plus necessary plugin plumbing to fill out the plugin API.
If we backport this to 5.6, there are multiple ways to avoid it:
- Apply a patch from us to remove the plugin - Don't build it - Build it, but don't ship it - Build and ship it, but don't use it (in any case, the DBA has to enable it and alter the user accounts to use it)
So what do you think about backporting this? The only thing you'll notice is one more file in the plugins directory.
Regards,
Norvald
_______________________________________________ pkg-mysql-maint mailing list pkg-mysql-maint@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
-- Colin Charles, Chief Evangelist, MariaDB Corporation blog: http://bytebot.net/blog/| t: +6-012-204-3201 | Skype: colincharles