← Back to team overview

maria-developers team mailing list archive

Re: Fwd: [debian-mysql] Backporting the mysql_no_login plugin

 

Hi, Colin!

On Oct 25, Colin Charles wrote:
> This seems to get a +1 for backporting by at least Honza (RH), so I am
> wondering if we do this in the 5.5 branch too, that is shipping in
> many distributions. 

Sure, that's trivial. I can write it in, like, 10 minutes.

But why would anyone need it? There are easier ways of disabling
accounts. For example, setting an impossible password:

  CREATE USER no_login@localhost IDENTIFIED BY PASSWORD '* PROXY ACCOUNT! NO LOGINS ARE ALLOWED! *';

That's not strictly impossible (MySQL and MariaDB will treat it as a
valid hash), but practically it's as impossible as our password hashing
scheme it (and if our password hashing scheme is reversible, then proxy
accounts will be the least of any DBA concerns).

> > The mysql_no_login plugin simply denies all login attempts. This is
> > useful for users that are created, e.g., to serve as proxy users, or
> > as owners of stored programs/functions, views or events.

Regards,
Sergei



References