[Maria-developers] Fwd: [debian-mysql] Backporting the mysql_no_login plugin

24 Oct 2014


      This seems to get a +1 for backporting by at least Honza (RH), so I am wondering if we do this in the 5.5 branch too, that is shipping in many distributions. 

Begin forwarded message:
...
From: "Norvald H. Ryeng" 
Subject: [debian-mysql] Backporting the mysql_no_login plugin
Date: 24 October 2014 15:49:34 GMT+8
To: "pkg-mysql-maint@lists.alioth.debian.org" , "Honza Horak" , "Roman Drahtmueller" 
Hi package maintainers,
We have a new plugin in MySQL 5.7 that makes it possible to have
accounts that can't log in:
CREATE USER foo@localhost IDENTIFIED WITH 'mysql_no_login';
The mysql_no_login plugin simply denies all login attempts. This is
useful for users that are created, e.g., to serve as proxy users, or
as owners of stored programs/functions, views or events.
This new plugin doesn't fix known security defects in the server, but
does provide new and better means to harden security. Best practices
for security include application of least-required privileges, and in
some cases, that means no client connections for privileged
accounts. This new plugin provides means to implement such
restrictions in a standard way.
Because of the security benefits, we'd like to discuss backporting it
to 5.6. Like you, we don't like big changes to GA releases, but this
time we think it has a good use case, it's safe and has a very low
risk of regressions:
- Since this is a plugin, it doesn't touch server code
- All new code is in a plugin that must be enabled explicitly by the
  DBA
- The code itself is very simple. It's only one line of "real" code
  (unconditionally return authentication failure), plus necessary
  plugin plumbing to fill out the plugin API.
If we backport this to 5.6, there are multiple ways to avoid it:
- Apply a patch from us to remove the plugin
- Don't build it
- Build it, but don't ship it
- Build and ship it, but don't use it (in any case, the DBA has to
  enable it and alter the user accounts to use it)
So what do you think about backporting this? The only thing you'll
notice is one more file in the plugins directory.
Regards,
Norvald
_______________________________________________
pkg-mysql-maint mailing list
pkg-mysql-maint@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
--
Colin Charles, Chief Evangelist, MariaDB Corporation
blog: http://bytebot.net/blog/| t: +6-012-204-3201 | Skype: colincharles

Colin Charles

Sergei Golubchik

tags

participants (2)