Contributed by jose on from the secure-data dept.
"I installed the mysql-server-3.23.55 package on a standard install of 3.2. I followed the post install instructions from the local shell but I kept getting acess denied errors. They either claimed that the root user didn't have access to the db or that the localhost was not authorized.I have to admit, running databases securely isn't something we talk about much here. I was looking to post this article from SecurityFocus in the coming few days, so now is as good a time as any. Anyone have any good recipes for securing their databases they wish to share?I know that I probably have missed something stupid but my concern is as follows: when I access the mysql server module from webmin as root (yeah I know that's not a good idea but this is a test machine), I get right in and can administer anything. The point being that I have full access to mysql from a remote computer through webmin using the same credentials that get denied at the local shell.
That doesn't seem good to me. How can I possibly have more access from a remote computer?
Anyway, if anyone has any thoughts on what could cause the root user/localhost denied problems, they would be much appreciated:
Thanks in advance :-)"
- release version of 3.2
- release version of mysql 3.23.55 package
- hosts file has both localhost and hostname
- able to set password on root user and authorize ALL incoming hosts from webmin
- able to start mysqld but unable to access any db functions, including the admin program from the local machine
(Comments are closed)
By Michael Anuzis () on
Yea it may seem funny to allow full access for root from some remote location and not allow it from the localhost, and I would agree, but that's apparently how it was set up and it *is* do-able.
See: http://www.mysql.com/documentation/mysql/bychapter/manual_MySQL_Database_Administration.html#Default_privileges
Setting up the initial MySQL privileges. You also may be interested in the topic directly below it, "Adding New Users to MySQL" as you can see in the syntax there it explicitly shows how you allow from *only* remote locations, or only localhost, etc.
--Michael
Comments
By dawg () on
the mysql documentation basically says that the permissions are wide open initially after install which is why the first thing you do is reset the root password etc. But if the system refuses to allow a connection from the local host, I can't get to the >mysql prompt to make any changes to the priveledge table.
The fact that the initial priveledges for the db server are quite liberal and I still can't access the server at the local computer leads me to believe there is some obsd setting that is preventing such action.
By dawg () on
-root
-all access
-all tables
-from any host
Now when I go to the local computer, I can access the >mysql prompt using:
mysql -u root -p
and I can see the DBs
But when I use the -h option and specify either localhost or the computer's actual hostname, I get denied access????
btw, I have reinstalled obsd and mysql from scratch and have the same issue.
So now, I can access the db server if I simply specify the user but as soon as I specify any host info, I get the hand.
Comments
By Anonymous Coward () on
"host localhost" and "host 127.1" and same way for every connection you want to make
By Nick () on
By jtorin () on
(postscript)
From the abstract:
FiLDB: An Architecture for Securely Connecting Databases to the Internet
Today more and more Information systems exist and they contain more and more information. Many information systems contain information about people that is secret or sensitive. Such information should not be allowed to leak from a database. This problem grows more and more as databases are made available via the Internet.
There have been a number of publicised occasions where hackers have passed security barriers and got information that is not intended to be publicly available. There have also been cases where the administrators of systems have made mistakes, so that classified information was published on the Internet.
The FiLDB architecture uses existing technology together with new components to provide an environment in which databases can be connected to the Internet without losing security. Two databases, with physical separation between them, are used as a security measure. Secret information is stored only in an internal database, which is separated from the Internet. An external database contains information which is to be used from the Internet, and hence sensitive information is not stored in this database.
Comments
By Anonymous Coward () on
Comments
By jtorin () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
then "select host,user from mysql.user"
to see the user table
Comments
By dawg () on
error 1130: host 'hostname' is not allowed to access this mysql server.
and again, my 'hostname' is in the hosts file.
I would check the host table in mysql but I can't even get in from the local host! argghh
By janus () janus at errornet dot de on http://janus.errornet.de
Try `mysql -h127.0.0.1 -uroot -p'.
Comments
By dawg () on
error 1130: host localhost is not allowed to access this mysql server
Comments
By janus () janus at errornet dot de on http://janus.errornet.de
Was only an idea.
By Anonymous Coward () on
By dawg () on
-I accessed the server using webmin as root
-I was able to load the mysql admin module through webmin
-When I looked at the priveledge table for mysql, the root user was not listed at all
-The above was what kept me from accessing the db admin tool from the local computer
-Why was I able to access the db through webmin if the root user was not in the priveledge table?!?!
-Through the webmin tool, I added the root user to the priveledge table with full access to any db from any host
-I was then able to access any db locally
There seems to be something about how webmin and obsd work together that allowed me to add myself to a db priveledge table remotely that I couldn't even access at the local computer.
Keep in mind that I couldn't even have accessed the server remotely through webmin if I didn't know the root password but the above just doesn't sit right in my stomach.
Comments
By Christopher () on
The other thing I seem to remember, not when I installed on OpenBSD awhile back, but when someone else did the initial install on red hat, was that I had to build a database before I could login.
By Anonymous Coward () on
# mysql -h localhost -u root
if you get access denied, you arent running the default privs, and should reset to them.
afterwards, i suggest deletion of all entries in mysql.users and re-addition based on strict need credentials.
all of this is basic mysql know-how. there's no special security problem with mysql and openbsd 3.2 (which the article subject suggests), and unless I'm missing something, this really has nothing todo with OpenBSD at all.
Comments
By Anonymous Coward () on
By Chisara () on
safe_mysqld &
This will kick up the server and then
/usr/local/bin/mysqladmin -u root -p password mynewpasswd (Enter)
Then it will prompt for the current password of the root user which after an clean install should be empty, so when it gives the Enter password: prompt just press enter.
This should have changed the password for the root account from empty to mynewpasswd, and with that password change you should be able to login immediately into the database using the mysql command.
mysql -u root -p (enter)
it will then prompt you for a password using the Enter password: prompt, here fill in your mynewpasswd and press enter.
If you interpreted the install instructions ike I did the first time you are not able to login or change your password, hope it helps you
By Peter H. Coffin () hellsop@ninehells.com on mailto:hellsop@ninehells.com