List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:October 16 2001 4:46pm
Subject:Re: Has this problem been addressed?
View as plain text  
At 8:22 AM -0700 10/16/01, Chad Burnette wrote:
>Hello,
>	I would really like to get mySQL to work with our product (and
>recommend it to customers of ours), but due to the error below I cannot
>safely do that.  I am wondering if this problem has been addressed in a
>recent version.  Please send feedback to my email.  Thanks...
>SECURITY WARNING: DO NOT USE MYSQL IN A PRODUCTION (LIVE) SYSTEM.
>MySQL introduces into Portal Server a security issue that causes it to not
>be a suitable database for running in an environment where there are
>potentially untrusted users. MySQL should be used only for development or
>evaluation purposes. The security flaw is that all permissions on a deleted
>user group may be inherited by the next user group that is created.
>Technical Reason For MySQL Security Flaw: MySQL implements its autoincrement
>differently compared to other databases with which Portal Server runs. MySQL
>increments from the highest row currently in the table, not the highest
>value ever. User groups receive their ID from this autoincrement feature.

This was addressed more than two years ago.  Do you not ever re-evaluate
a product once you find a problem with it.

The fix is to use a MyISAM table rather than an ISAM table.

MyISAM tables have been available since version 3.23.

>Under MySQL, if you delete a user group and then add another user group,
>that second user group will have the same ID as the deleted one. Deleting a
>user group doesn't remove its permissions from the various objects that take
>permissions in Portal Server. A collection routine eventually removes those
>permissions to prevent long-term disk space loss, but not over a short
>enough time period to be secure.
>
>
>Chad Burnette
>Solutions Engineer, Northeast Region
>Epicentric, Inc.
>
>Phone:	646.613.7239
>Cell:	845.893.3419
>Fax:	646.613.9545
>eMail:	cburnette@stripped
URL:  	http://www.epicentric.com

-- 
Paul DuBois, paul@stripped
Thread
Has this problem been addressed?Chad Burnette16 Oct
  • Re: Has this problem been addressed?Carl Troein16 Oct
  • Re: Has this problem been addressed?Sinisa Milivojevic16 Oct
  • Re: Has this problem been addressed?Paul DuBois16 Oct
RE: Has this problem been addressed?Chad Burnette16 Oct
  • RE: Has this problem been addressed?Sinisa Milivojevic16 Oct
RE: Has this problem been addressed?Chad Burnette17 Oct