Skip to main content

MySQL Security Concern

Soemtimes when I encounter bugs, I have to sit and determine if they are a bug or just an issue. Or maybe, sometimes, it's how I think about something. In this case, maybe it's my process. In any case, I'm writing this up so I don't forget about it, and to share it with the larger community. This "bug" is with both MySQL v3.21 and v4.01 (I found it on 3.21 and verified it against v4.01 in my test environment).

For a little background. Several months ago I built a database for a friend on my web / database server. I added his user account so he could log in directly and created a database for him. I guess the name I chose for the database I built wasn't the best, as I deleted the database and removed his account from my system as the software (I named the database after the software I installed) didn't meet his needs (I used the MySQL commands "DROP USER 'xxx'@'localhost' and DROP USER 'xxx'@'%'". Everything looked good and I didn't see his name under the list of logins anymore (SELECT * FROM users WHERE user_login = 'xxx').

Having completely forgotten about this, I installed a newer version of the software for myself to look at a couple of weeks ago. And then last week, I re-added my friend back onto the server and granted him access to a different database. Imagine my surprise when he Instant Messaged me and asked why "his" database was still there, and what was all my data doing in it. It turned out that just dropping the user didn't remove the account access to the database, and I should also have executed a "REVOKE ALL PRIVILIGES FROM 'xxx'@'localhost' and REVOKE ALL PRIVILIGES FROM 'xxx'@'%'" on his account.

I'm not sure if this is a bug or just a detail in implementation. (And lucky for me I didn't have anything critical in there and that I trust him completely on my systems!)

This script is called from a cron job (scheduled task) and emails me on a daily basis this data so I can track disk space usage. I install it on all my systems (though I should probably do something different, like store the values in a database or something).

click to read the rest of the article

A required reading list for Geeks

Excuse the formatting. Copying it over from OpenOffice it threw off my tab marks and things. I've included references for all my sources at the bottom (end).

Many people have written a recommended reading list for “geeks.” I'm not sure I can claim to be all knowing, but at my first brush with this, I figured I'd take some books from various lists and add them with my own (there was already a lot of overlap) to produce my own list. While I've read many of them, I still have quite a way to go.

Read more…

Creating A Drupal Database

The following SQL will create a PostgreSQL database for Drupal. I'm calling it drupal in this case, but you can call it whatever you want.

 WITH OWNER = drupalweb
      ENCODING = 'UTF8'
      TABLESPACE = pg_default
      LC_COLLATE = 'en_US.UTF-8'
      LC_CTYPE = 'en_US.UTF-8'
GRANT ALL ON DATABASE drupal TO drupalweb;

Uptime vs Availability

Do we need to sacrifice system uptime against system availability. And I use the term system availability to identify both uptime and unscheduled outages. So here system availability includes time from both unscheduled and scheduled outages. Why would I ask such a thing? Systems crash for all kinds of reasons: failure in the garbage collector to collect objects or collecting the wrong objects. So why do we need to do regular scheduled reboots of the system?

click to read the rest of the article