[Maria-developers] Fwd: [debian-mysql] Backporting the mysql_no_login plugin
This seems to get a +1 for backporting by at least Honza (RH), so I am wondering if we do this in the 5.5 branch too, that is shipping in many distributions. Begin forwarded message:
From: "Norvald H. Ryeng" <norvald.ryeng@oracle.com> Subject: [debian-mysql] Backporting the mysql_no_login plugin Date: 24 October 2014 15:49:34 GMT+8 To: "pkg-mysql-maint@lists.alioth.debian.org" <pkg-mysql-maint@lists.alioth.debian.org>, "Honza Horak" <hhorak@redhat.com>, "Roman Drahtmueller" <draht@suse.de>
Hi package maintainers,
We have a new plugin in MySQL 5.7 that makes it possible to have accounts that can't log in:
CREATE USER foo@localhost IDENTIFIED WITH 'mysql_no_login';
The mysql_no_login plugin simply denies all login attempts. This is useful for users that are created, e.g., to serve as proxy users, or as owners of stored programs/functions, views or events.
This new plugin doesn't fix known security defects in the server, but does provide new and better means to harden security. Best practices for security include application of least-required privileges, and in some cases, that means no client connections for privileged accounts. This new plugin provides means to implement such restrictions in a standard way.
Because of the security benefits, we'd like to discuss backporting it to 5.6. Like you, we don't like big changes to GA releases, but this time we think it has a good use case, it's safe and has a very low risk of regressions:
- Since this is a plugin, it doesn't touch server code - All new code is in a plugin that must be enabled explicitly by the DBA - The code itself is very simple. It's only one line of "real" code (unconditionally return authentication failure), plus necessary plugin plumbing to fill out the plugin API.
If we backport this to 5.6, there are multiple ways to avoid it:
- Apply a patch from us to remove the plugin - Don't build it - Build it, but don't ship it - Build and ship it, but don't use it (in any case, the DBA has to enable it and alter the user accounts to use it)
So what do you think about backporting this? The only thing you'll notice is one more file in the plugins directory.
Regards,
Norvald
_______________________________________________ pkg-mysql-maint mailing list pkg-mysql-maint@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
-- Colin Charles, Chief Evangelist, MariaDB Corporation blog: http://bytebot.net/blog/| t: +6-012-204-3201 | Skype: colincharles
Hi, Colin! On Oct 25, Colin Charles wrote:
This seems to get a +1 for backporting by at least Honza (RH), so I am wondering if we do this in the 5.5 branch too, that is shipping in many distributions.
Sure, that's trivial. I can write it in, like, 10 minutes. But why would anyone need it? There are easier ways of disabling accounts. For example, setting an impossible password: CREATE USER no_login@localhost IDENTIFIED BY PASSWORD '* PROXY ACCOUNT! NO LOGINS ARE ALLOWED! *'; That's not strictly impossible (MySQL and MariaDB will treat it as a valid hash), but practically it's as impossible as our password hashing scheme it (and if our password hashing scheme is reversible, then proxy accounts will be the least of any DBA concerns).
The mysql_no_login plugin simply denies all login attempts. This is useful for users that are created, e.g., to serve as proxy users, or as owners of stored programs/functions, views or events.
Regards, Sergei
participants (2)
-
Colin Charles -
Sergei Golubchik