DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Ports and Packages

FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th December 2008
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Thanked 0 Times in 0 Posts
Default MySQL permission oddity

I have MySQL running on my FBSD box at home, finally. I decided to make a small database for analyzing /var/log/messages, as my system has been under an interested distributed hack attempt lately and I wanted to see if it would actually be useful to try blacklisting the addresses (sometimes over 200 different addresses attempting ssh connections in one day).

To make a long story less long, I made a database "hackers", with one table "attempts". This table has three columns "time_id", "IP_address", and "faileduser_id".

If I connect to the database as root, I can see the table and columns correctly. Obviously this is not a good practice so I then made a database account "syslog" and gave it permissions accordingly:
Code:
grant all on hackers to syslog@localhost identified by 'PASSWORD';
where of course PASSWORD is replaced by my awesome, secure password.

So then I connect to the database as syslog:
Code:
> mysql -u syslog -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
And connect to the database and look for tables:
Code:
mysql> connect hackers;
Current database: hackers

mysql> show tables in hackers;
Empty set (0.00 sec)
Any MySQL guys out there who might know what is going on here? As I said, the user root on the same MySQL instance can see the tables just fine.
Reply With Quote
  #2   (View Single Post)  
Old 13th December 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,118
Thanked 182 Times in 149 Posts
Default

Instead of
Code:
$ mysql -u syslog -p
try
Code:
$ env USER=syslog mysql -u syslog -p
EDIT:
I was assuming mysql looks at the environment variable ${USER} to determine which user you are. However http://dev.mysql.com/doc/refman/5.1/en/privileges.html says
Quote:
As a user, when you connect to a MySQL server, your identity is determined by the host from which you connect and the username you specify.
So if I interpret the docs correctly, my suggestion to use 'env' won't work.

Does the output of SHOW GRANTS FOR 'syslog' give any clue?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 13th December 2008 at 06:07 PM. Reason: Reasoning added
Reply With Quote
  #3   (View Single Post)  
Old 13th December 2008
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Thanked 0 Times in 0 Posts
Default

Quote:
Does the output of SHOW GRANTS FOR 'syslog' give any clue?
Code:
mysql> show grants for 'syslog'@'localhost';
+---------------------------------------------------------------------------------------------------------------+
| Grants for syslog@localhost                                                                                   |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'syslog'@'localhost' IDENTIFIED BY PASSWORD '' |
| GRANT ALL PRIVILEGES ON `hackers`.`hackers` TO 'syslog'@'localhost'                                           |
| GRANT ALL PRIVILEGES ON `hackers`.`demo` TO 'syslog'@'localhost'
I'm not entirely sure why we have 'hackers'.'hackers' and 'hackers'.'demo'
Reply With Quote
  #4   (View Single Post)  
Old 13th December 2008
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Thanked 0 Times in 0 Posts
Default Found it...

Looks like the problem was that it was permissions for tables, not databases. In this case, the database was called "hackers" and the table was called "attempts".
AFAIK, there may be no mechanism to grant permissions for entire databases, only for tables within. So then I did
Code:
mysql> grant all on Attempts to syslog@localhost identified by 'varlog';
Query OK, 0 rows affected (0.00 sec)
Followed by
Code:
mysql> show grants for 'syslog'@'localhost';
+---------------------------------------------------------------------------------------------------------------+
| Grants for syslog@localhost                                                                                   |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'syslog'@'localhost' IDENTIFIED BY PASSWORD '' |
| GRANT ALL PRIVILEGES ON `hackers`.`Attempts` TO 'syslog'@'localhost'
And now the user 'syslog' can see the Attempts table. The columns within show up as well, so it looks like I can proceed.

thanks!
Reply With Quote
  #5   (View Single Post)  
Old 13th December 2008
DNAeon DNAeon is offline
Shell Scout
 
Join Date: Sep 2008
Location: Bulgaria
Posts: 138
Thanked 6 Times in 6 Posts
Default

Quote:
Originally Posted by Mantazz
If I connect to the database as root, I can see the table and columns correctly. Obviously this is not a good practice so I then made a database account "syslog" and gave it permissions accordingly:
Code:
grant all on hackers to syslog@localhost identified by 'PASSWORD';
You should never give all privileges to users that don't actually require them!

Instead of giving a user all privileges, give him only the privileges that he needs. In fact you will only need the SELECT and INSERT privileges, but if you want to delete or update some data (remove old entries for example) from the database you can add the DELETE and UPDATE privileges.
Quote:
Originally Posted by Mantazz
Looks like the problem was that it was permissions for tables, not databases. In this case, the database was called "hackers" and the table was called "attempts".
AFAIK, there may be no mechanism to grant permissions for entire databases, only for tables within.
Actually there is a way and I suggest you that you create your database this way - giving the user syslog minimum privileges:

Code:
GRANT SELECT, INSERT, DELETE, UPDATE 
ON hackers.*
TO 'syslog'@'localhost'
IDENTIFIED BY 'somepassword';
Note the way you give permissions to the entire database - the second row, note the .* after the name of the database.

You can have a look at the MySQL documentation for more information about the GRANT syntax and the different levels of privileges
http://dev.mysql.com/doc/refman/5.1/en/grant.html

Also to reduce the number of hackers trying to get into your box via SSH, you could change the port number SSH is listening to - for example some high port number.
__________________
"I never think of the future. It comes soon enough." - A.E

Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Permission problems after restore Crotalus FreeBSD Installation and Upgrading 3 5th February 2009 02:17 PM
FFS permission issue marc OpenBSD General 2 2nd February 2009 07:31 PM
Permission denied (publickey). Help pls rex FreeBSD General 13 14th October 2008 08:54 PM
user permission... lumiwa FreeBSD General 12 30th September 2008 02:28 AM
Permission denied delboy FreeBSD Ports and Packages 11 24th May 2008 09:26 PM


All times are GMT. The time now is 07:40 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick