maria-developers team mailing list archive

Thread
Date

Fwd: [debian-mysql] Backporting the mysql_no_login plugin

To: maria-developers@xxxxxxxxxxxxxxxxxxx, Sergei Golubchik <serg@xxxxxxxxxxx>
From: Colin Charles <colin@xxxxxxxxxxx>
Date: Sat, 25 Oct 2014 04:41:30 +0800
Sender: Colin Charles <byte@xxxxxxxxxxx>

This seems to get a +1 for backporting by at least Honza (RH), so I am wondering if we do this in the 5.5 branch too, that is shipping in many distributions. 

Begin forwarded message:

> From: "Norvald H. Ryeng" <norvald.ryeng@xxxxxxxxxx>
> Subject: [debian-mysql] Backporting the mysql_no_login plugin
> Date: 24 October 2014 15:49:34 GMT+8
> To: "pkg-mysql-maint@xxxxxxxxxxxxxxxxxxxxxxx" <pkg-mysql-maint@xxxxxxxxxxxxxxxxxxxxxxx>, "Honza Horak" <hhorak@xxxxxxxxxx>, "Roman Drahtmueller" <draht@xxxxxxx>
> 
> Hi package maintainers,
> 
> We have a new plugin in MySQL 5.7 that makes it possible to have
> accounts that can't log in:
> 
> CREATE USER foo@localhost IDENTIFIED WITH 'mysql_no_login';
> 
> The mysql_no_login plugin simply denies all login attempts. This is
> useful for users that are created, e.g., to serve as proxy users, or
> as owners of stored programs/functions, views or events.
> 
> This new plugin doesn't fix known security defects in the server, but
> does provide new and better means to harden security. Best practices
> for security include application of least-required privileges, and in
> some cases, that means no client connections for privileged
> accounts. This new plugin provides means to implement such
> restrictions in a standard way.
> 
> Because of the security benefits, we'd like to discuss backporting it
> to 5.6. Like you, we don't like big changes to GA releases, but this
> time we think it has a good use case, it's safe and has a very low
> risk of regressions:
> 
> - Since this is a plugin, it doesn't touch server code
> - All new code is in a plugin that must be enabled explicitly by the
>   DBA
> - The code itself is very simple. It's only one line of "real" code
>   (unconditionally return authentication failure), plus necessary
>   plugin plumbing to fill out the plugin API.
> 
> If we backport this to 5.6, there are multiple ways to avoid it:
> 
> - Apply a patch from us to remove the plugin
> - Don't build it
> - Build it, but don't ship it
> - Build and ship it, but don't use it (in any case, the DBA has to
>   enable it and alter the user accounts to use it)
> 
> So what do you think about backporting this? The only thing you'll
> notice is one more file in the plugins directory.
> 
> Regards,
> 
> Norvald
> 
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@xxxxxxxxxxxxxxxxxxxxxxx
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint

--
Colin Charles, Chief Evangelist, MariaDB Corporation
blog: http://bytebot.net/blog/| t: +6-012-204-3201 | Skype: colincharles

Follow ups

Re: Fwd: [debian-mysql] Backporting the mysql_no_login plugin
From: Sergei Golubchik, 2014-10-30