List:General Discussion« Previous MessageNext Message »
From:Chad Burnette Date:October 16 2001 3:22pm
Subject:Has this problem been addressed?
View as plain text  
Hello,
	I would really like to get mySQL to work with our product (and
recommend it to customers of ours), but due to the error below I cannot
safely do that.  I am wondering if this problem has been addressed in a
recent version.  Please send feedback to my email.  Thanks...
SECURITY WARNING: DO NOT USE MYSQL IN A PRODUCTION (LIVE) SYSTEM. 
MySQL introduces into Portal Server a security issue that causes it to not
be a suitable database for running in an environment where there are
potentially untrusted users. MySQL should be used only for development or
evaluation purposes. The security flaw is that all permissions on a deleted
user group may be inherited by the next user group that is created. 
Technical Reason For MySQL Security Flaw: MySQL implements its autoincrement
differently compared to other databases with which Portal Server runs. MySQL
increments from the highest row currently in the table, not the highest
value ever. User groups receive their ID from this autoincrement feature.
Under MySQL, if you delete a user group and then add another user group,
that second user group will have the same ID as the deleted one. Deleting a
user group doesn't remove its permissions from the various objects that take
permissions in Portal Server. A collection routine eventually removes those
permissions to prevent long-term disk space loss, but not over a short
enough time period to be secure. 


Chad Burnette
Solutions Engineer, Northeast Region
Epicentric, Inc.

Phone:	646.613.7239
Cell:	845.893.3419
Fax:	646.613.9545
eMail: 	cburnette@stripped
URL:   	http://www.epicentric.com

Thread
Has this problem been addressed?Chad Burnette16 Oct
  • Re: Has this problem been addressed?Carl Troein16 Oct
  • Re: Has this problem been addressed?Sinisa Milivojevic16 Oct
  • Re: Has this problem been addressed?Paul DuBois16 Oct
RE: Has this problem been addressed?Chad Burnette16 Oct
  • RE: Has this problem been addressed?Sinisa Milivojevic16 Oct
RE: Has this problem been addressed?Chad Burnette17 Oct