List:General Discussion« Previous MessageNext Message »
From:Sinisa Milivojevic Date:October 16 2001 4:35pm
Subject:Re: Has this problem been addressed?
View as plain text  
Chad Burnette writes:
> Hello,
> 	I would really like to get mySQL to work with our product (and
> recommend it to customers of ours), but due to the error below I cannot
> safely do that.  I am wondering if this problem has been addressed in a
> recent version.  Please send feedback to my email.  Thanks...
> SECURITY WARNING: DO NOT USE MYSQL IN A PRODUCTION (LIVE) SYSTEM. 
> MySQL introduces into Portal Server a security issue that causes it to not
> be a suitable database for running in an environment where there are
> potentially untrusted users. MySQL should be used only for development or
> evaluation purposes. The security flaw is that all permissions on a deleted
> user group may be inherited by the next user group that is created. 
> Technical Reason For MySQL Security Flaw: MySQL implements its autoincrement
> differently compared to other databases with which Portal Server runs. MySQL
> increments from the highest row currently in the table, not the highest
> value ever. User groups receive their ID from this autoincrement feature.
> Under MySQL, if you delete a user group and then add another user group,
> that second user group will have the same ID as the deleted one. Deleting a
> user group doesn't remove its permissions from the various objects that take
> permissions in Portal Server. A collection routine eventually removes those
> permissions to prevent long-term disk space loss, but not over a short
> enough time period to be secure. 
> 
> 
> Chad Burnette
> Solutions Engineer, Northeast Region
> Epicentric, Inc.
> 
> Phone:	646.613.7239
> Cell:	845.893.3419
> Fax:	646.613.9545
> eMail: 	cburnette@stripped
> URL:   	http://www.epicentric.com
> 

Hi!

All your allegations are completely false.

MySQL does not have any known security problems and is in use in
production systems on more then million installations without any
security problems. Our installations include the most critical sites,
like several military sites, NASA, Yahoo  and many others, which we
can not reveal due to business secrets. 

MySQL has no such thing as user groups. MySQL privilege system is
based on users and hosts and there are no groups in that system, what
so ever, so you have confused us with some other RDBMS.

MySQL auto_increment system works perfectly and in the same manner as
some other's, like Oracle. Our system only lacks STEP to mimick other
RDBMS's. None of our users experienced problems with auto_increment
columns. 

Also, deleted values in auto_incremented columns are not re-used for
security and entity integrity reasons.

So, your allegations are entirely false.


-- 
Regards,
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /    Mr. Sinisa Milivojevic <sinisa@stripped>
 / /|_/ / // /\ \/ /_/ / /__   MySQL AB, FullTime Developer
/_/  /_/\_, /___/\___\_\___/   Larnaca, Cyprus
       <___/   www.mysql.com

Thread
Has this problem been addressed?Chad Burnette16 Oct
  • Re: Has this problem been addressed?Carl Troein16 Oct
  • Re: Has this problem been addressed?Sinisa Milivojevic16 Oct
  • Re: Has this problem been addressed?Paul DuBois16 Oct
RE: Has this problem been addressed?Chad Burnette16 Oct
  • RE: Has this problem been addressed?Sinisa Milivojevic16 Oct
RE: Has this problem been addressed?Chad Burnette17 Oct