Hi, Marc, On Aug 02, Marc wrote:
If the server will delay enforcing of max_connections (that is, the server will not reject connections about max_connections at once), then this user in the above scenario will open all possible connections your OS can handle and the computer will become completely inaccessible.
The idea about this change is to have a more useful and expected implementation of max_user_connections and max_connections. Currently I am using max_connections not for what it is supposed to be used, just because the max_user_connections is not doing as much as it 'should'.
Hi Sergei, Is this something you are going to look in to? I am also curious about this delay between first package and package with the username. I can't imagine that being such a problem, to me this looks feasible currently.
I'm afraid, I don't understand your use case. There are, basically, three limits now: max_user_connections, max_connections, OS limit. An ordinary user would connect many times, hit max_user_connections and stop. Or will keep connecting and get disconnects because of max_user_connections. A malicious user would connect and wouldn't authenticate, this will exhaust max_connections and nobody will be able to connect to the server anymore. max_user_connections won't help here. After your suggestion of delayed max_connections check - an ordinary user would still connect max_user_connections times, nohing would change for him. A malicious user, not stopped by max_connections anymore, would completely exhaust OS capability for opening new connections making the whole OS inaccessible. That's what I mean - I don't understand your use case. It doesn't change much if all users behave and it makes the situation much worse if a user is malicious. So, in what use case your change would be an improvement? Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org