List:General Discussion« Previous MessageNext Message »
From:Sasha Pachev Date:July 6 1999 12:39am
Subject:Re: more selective column privileges?
View as plain text  
Benjamin Pflugmann wrote:
> 
> Hi.
> 
> On Sun, Jul 04, 1999 at 07:48:39PM +0200, m.ramsch@stripped wrote:
> > Hello,
> >
> > I have a DB user "userlookup" which only has the SELECT priviledge on
> > the columns mysql.user.user and mysql.user.password.
> >
> [...]
> > My question is:
> >
> >   Is it possible to restrict access to _only_ the field "User"
> >   while using other fields in the WHERE clause?
> >
> >   Example:
> >      SELECT User From user WHERE User='abc' AND Password=PASSWORD('xyz')
> >
> >   The contents of the password field never should be output, but used
> >   internally for the right selection.
> >
> >   My rationale is that I'd like to have a kind of an "access right" to
> >   the password field while denying read access of the whole column.
> 
> Hm. Correct me, if I am wrong, but you would just make it a little bit
> harder to find out the value of password, but it is still relatively
> easy. With this kind of access restriction you can figure out the
> value of a password field by doing some selects. Or did I miss your
> point and the purpose of your suggestion is security by obscurity?
> 
> I know, it could be done better, but it can be done with about 100
> selects: You can figure out each character position in a maximum of
> int(ln(26+10)/ln(2))+1 tries. The value of the password columns has a
> length of 16 characters and seems to only use 0-9a-z (=10+26), which
> would make 96 tries (the calculation is not exact, so don't bother).
> 
> This could be done by doing something like
> 
> SELECT User From user WHERE User='abc' AND Password >= 'n';
> if you get no records back, use
>   SELECT User From user WHERE User='abc' AND Password >= 'h';
> else
>   SELECT User From user WHERE User='abc' AND Password >= 't';
> and so on (you got the idea...)
> 
> This can be further improved to need less queries (you can run it
> partially parallel for several users, improve the algorithm and so
> on...)
> 
> Bye,
> 
>         Benjamin.
> 

Benjamin,

You are a true hacker! The difference between a true hacker and a
wannabe is that while the wannabe will be satisfied with just
discovering the exploit, the true hacker will want to optimize it :-)

-- 
Sasha Pachev
http://www.sashanet.com
Thread
more selective column privileges?Martin Ramsch4 Jul
  • Re: more selective column privileges?Benjamin Pflugmann6 Jul
    • Re: more selective column privileges?Martin Ramsch6 Jul
  • Re: more selective column privileges?Sasha Pachev6 Jul