At 8:22 AM -0700 10/16/01, Chad Burnette wrote:
>Hello,
> I would really like to get mySQL to work with our product (and
>recommend it to customers of ours), but due to the error below I cannot
>safely do that. I am wondering if this problem has been addressed in a
>recent version. Please send feedback to my email. Thanks...
>SECURITY WARNING: DO NOT USE MYSQL IN A PRODUCTION (LIVE) SYSTEM.
>MySQL introduces into Portal Server a security issue that causes it to not
>be a suitable database for running in an environment where there are
>potentially untrusted users. MySQL should be used only for development or
>evaluation purposes. The security flaw is that all permissions on a deleted
>user group may be inherited by the next user group that is created.
>Technical Reason For MySQL Security Flaw: MySQL implements its autoincrement
>differently compared to other databases with which Portal Server runs. MySQL
>increments from the highest row currently in the table, not the highest
>value ever. User groups receive their ID from this autoincrement feature.
This was addressed more than two years ago. Do you not ever re-evaluate
a product once you find a problem with it.
The fix is to use a MyISAM table rather than an ISAM table.
MyISAM tables have been available since version 3.23.
>Under MySQL, if you delete a user group and then add another user group,
>that second user group will have the same ID as the deleted one. Deleting a
>user group doesn't remove its permissions from the various objects that take
>permissions in Portal Server. A collection routine eventually removes those
>permissions to prevent long-term disk space loss, but not over a short
>enough time period to be secure.
>
>
>Chad Burnette
>Solutions Engineer, Northeast Region
>Epicentric, Inc.
>
>Phone: 646.613.7239
>Cell: 845.893.3419
>Fax: 646.613.9545
>eMail: cburnette@stripped
URL: http://www.epicentric.com
--
Paul DuBois, paul@stripped
