Archive of UserLand's first discussion group, started October 5, 1998.
Re: Walking around amsterdam
Author: Paul Snively Posted: 5/16/2000; 12:21:47 PM Topic: Walking around amsterdam Msg #: 17349 (In response to 17342) Prev/Next: 17348 / 17350
Joshua Boyd: Uhm, I don't think that MySQL is considered a publicly available service. After all, they didn't attack MySQL directly, they had to go through several layers to get there.Making MySQL a publicly-available service indirectly. My understanding of the hole was that basically anyone who wanted to could upload a PHP program for PHP to execute. That's bad enough as is. For the database that PHP is connecting to to be running as root is flat-out ridiculous. People who do that abdicate the right to even be surprised when they're hacked, let alone indignant about it.
This sort of thing is precisely why having authorization of actions take place at process scope and by association with some notion of "user identity" is a bankrupt security model. The granularity is far too coarse, and the idea that a user identity is the right place to associate a collection of privileges, let alone the idea that we can even guarantee a user's identity, is just plain wrong. Processes don't exist in isolation; they communicate with each other in order to ask each other to do things. Sometimes they're asking on behalf of the current user of a browser, sometimes on behalf of some administrator who's not even logged in, sometimes on behalf of their authors, etc.
Even if we accept the proposition that MySQL had to be running as root (and I do not), that "fact" alone would dictate that MySQL be running on a separate box, behind a packet-filtering etc. etc. firewall, and the ONLY IP address allowed to connect to it would be from the box running the bugzilla scripts, over SSH tunnelling or somesuch, using 1024-bit RSA keys for authentication. The bugzilla machine would be a different machine than the machine where files could be uploaded via FTP if FTP uploading were even necessary (once again, SSH and SCP would be far better alternatives). Even then, no one should be allowed to upload arbitrary PHP files directly to the running service--they should go into a holding pen where they can be reviewed pending production. etc.
The bottom line is that the reason it's a bad idea to run things like databases as root is precisely because it's very hard to foresee paths of vulnerability like the one that led to the apache.org hack. Remember that line from a few years back about AIDS? "When you have sex with someone, you're also having sex with everyone that person has ever had sex with, and everyone each of them has had sex with..." It's the same principal. As the Cigarette-Smoking-Man said, "It's about access." You may think your crucial service isn't publicly available, but you're wisest to assume that it is, in some fashion.
This page was archived on 6/13/2001; 4:55:13 PM.
© Copyright 1998-2001 UserLand Software, Inc.