"Enterprisey" Database Configuration Option for MySQL
-
On a PRODUCTION server at work, I found this very representative /etc/rc.conf snippet. Guess which option of these is the real WTF:
mysql_enable="YES" mysql_limits="NO" mysql_dbdir="/data/mysql" mysql_args="--skip-grant-tables"
-
@OperatorBastardusInfernalis said:
Filed under: password-protected my ass
Good idea, you wouldn't want someone getting in there without proper authorization.
-
mysql_enable="YES" ?
-
The second option says there are no limits and the last option says to skip certain things. This contradiction seems to me TRWTF and not one perticular option.
-
@Quincy5 said:
The second option says there are no limits and the last option says to skip certain things. This contradiction seems to me TRWTF and not one perticular option.
It is SO one particular option... "--skip-grant-tables" which means "let EVERYONE do ANYTHING on ANY database."
-
I think that tag is a little unfair. You might not want to hire Quincy5 as an MySQL DBA, but that's not the same thing.
As an Oracle user with no MySQL experience, I'd have assumed that "--skip-grant-tables" meant that no grants would be processed, so every user would have access to only their own objects. That might be a WTF on the level of "breaking all the applications that use this DB", but not the sort of epic WTF that "everyone can do everything" would be.
-
@Scarlet Manuka said:
As an Oracle user with no MySQL experience, I'd have assumed that "--skip-grant-tables" meant that no grants would be processed, so every user would have access to only their own objects. That might be a WTF on the level of "breaking all the applications that use this DB", but not the sort of epic WTF that "everyone can do everything" would be.
Wow, that really is TRWTF if mysql has a no-security option that closely resembles an Oracle higher-security option! As for the unfairness, possibly I should reign that in for my first few posts ...
-
@token_woman said:
Wow, that really is TRWTF if mysql has a no-security option
FTFY :)I don't know if Oracle has any options like this; I rather hope not. As far as I know (I'm not a DBA), by default every user can access only their own schema, and other permissions must be granted explicitly. Of course, if you want to have no security you can grant maximal privileges to PUBLIC. I'm not sure why you would want to do that, though...
-
@token_woman said:
@Quincy5 said:
The second option says there are no limits and the last option says to skip certain things. This contradiction seems to me TRWTF and not one perticular option.
It is SO one particular option... "--skip-grant-tables" which means "let EVERYONE do ANYTHING on ANY database."
But they can do it way faster ...
So if your server is firewalled to allow only localhost access (usuall configuration with webservers), is it really a wtf ?
-
@Nelle said:
@token_woman said:
@Quincy5 said:
The second option says there are no limits and the last option says to skip certain things. This contradiction seems to me TRWTF and not one perticular option.
It is SO one particular option... "--skip-grant-tables" which means "let EVERYONE do ANYTHING on ANY database."
But they can do it way faster ...
So if your server is firewalled to allow only localhost access (usuall configuration with webservers), is it really a wtf ?
Yes, you generally want multiple levels of security protection so that even if 1 is compromised the hackers won't immediatly have full control.
-
@Nelle said:
But they can do it way faster ...
So if your server is firewalled to allow only localhost access (usuall configuration with webservers), is it really a wtf ?
Indeed there may be cases where you positively want to grant all privileges to all users, on a production system, all the time. But that is not what skip-grant-tables is for. That option is for overriding any restrictions that have been set. In certain development or debugging scenarios you might want to do this. I have done it myself when I have forgotten passwords.
The WTF is using it in production.
