List:General Discussion« Previous MessageNext Message »
From:Martin Ramsch Date:October 1 1999 3:38pm
Subject:Re: Security in Perl/CGI
View as plain text  
On Fri, 1999-10-01 11:14:49 -0400, Christopher R. Jones wrote:
> I will be developing a WEB application that allows users to create new
> MySQL databases.  I think there are two possible scenarios:
> 1.  SU adds new users to mysql and the user can then create database.
> 2.  SU creates new database giving user access to select, insert, delete.

"SU" is short for "superuser", meaning in this context the database
root account?

> I am concerned about hiding the SU user_id and password in the CGI scripts.  
> For example, a CGI script contains something like:
> my $db = "buildings";
> my $user = "cjones";
> my $password = "spikeo";
> my $hostname = "";

If I want to give users the possibility to create and administer their
own database, I usually give them the rights to create databases only
that have a name starting with their db username. 
For a user "joe" this is:

  UPDATE mysql.db SET db='joe%' WHERE user='joe' AND db='joe';

Side note:
  Theoretically the same could be accomplished by
    GRANT ALL PRIVILEGES ON 'joe%'.* TO joe@'';
  but unfortunately MySQL gives a syntax error for this.

Now "joe" can create every database he wishes and work with it as long
as the database name starts with "joe...", but he can't change or drop
any other databases.

For this method, you as db root only have to set up the rights once
per db user, from then on no more interaction of yours is necessary.

If you additionally want to create new users somehow automatically, I
don't see a possibility to avoid needing the password for db root.

Martin Ramsch <m.ramsch@stripped> <URL: >
PGP KeyID=0xE8EF4F75 FiPr=5244 5EF3 B0B1 3826  E4EC 8058 7B31 3AD7
Security in Perl/CGIChristopher R. Jones1 Oct
  • Re: Security in Perl/CGIMartin Ramsch1 Oct
  • Re: Security in Perl/CGIPaul DuBois1 Oct