patternsqlMinor
MySQL GRANT PROXY - what does it mean?
Viewed 0 times
proxywhatgrantmeanmysqldoes
Problem
I run:
and I see
From mysql docs:
https://dev.mysql.com/doc/refman/5.5/en/proxy-users.html
This enables the external user to be a proxy for the second user; that
is, to have the privileges of the second user. In other words, the
external user is a “proxy user” (a user who can impersonate or become
known as another user) and the second user is a “proxied user” (a user
whose identity can be taken on by a proxy user).
But I am not understanding what they mean. I got the system from another worker who left the job and want to make sure if everything is secure and do not know if this grant is even needed. But if it does not make any security issues, I can leave it.
Can somebody explain in more simple way?
Update:
How can I connect as as another user? I was trying various combinations, of username password, but I cannot make it connect.
For example I used user root, but password from another user, which did not work. Tried another user and root password, also did not work.
Update:
Or this maybe means that root user can connect as other user? How to do that at least for example if so?
show grants for root@localhost;and I see
GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTIONFrom mysql docs:
https://dev.mysql.com/doc/refman/5.5/en/proxy-users.html
This enables the external user to be a proxy for the second user; that
is, to have the privileges of the second user. In other words, the
external user is a “proxy user” (a user who can impersonate or become
known as another user) and the second user is a “proxied user” (a user
whose identity can be taken on by a proxy user).
But I am not understanding what they mean. I got the system from another worker who left the job and want to make sure if everything is secure and do not know if this grant is even needed. But if it does not make any security issues, I can leave it.
Can somebody explain in more simple way?
Update:
How can I connect as as another user? I was trying various combinations, of username password, but I cannot make it connect.
For example I used user root, but password from another user, which did not work. Tried another user and root password, also did not work.
Update:
Or this maybe means that root user can connect as other user? How to do that at least for example if so?
Solution
MySQL User Authentication is a rather lengthy process to explain. I refer you to my 3.5-year-old answer to MySQL error: Access denied for user 'a'@'localhost' (using password: YES) so you can see the steps a user takes to authenticate.
What the PROXY grant does is allow one user to masquerade as another user and bypass MySQL's normal but lengthy user authentication protocol.
Such proxy grants could be a security hole if one knew of this and started taking advantage of it. The quickest way to deactivate this would be to run
This will wipe out the current proxy privileges.
Afterwards, if you want to restrict proxy privileges, go to the OS and do this:
This will prevent new proxy privileges from being created.
GIVE IT A TRY !!!
What the PROXY grant does is allow one user to masquerade as another user and bypass MySQL's normal but lengthy user authentication protocol.
Such proxy grants could be a security hole if one knew of this and started taking advantage of it. The quickest way to deactivate this would be to run
TRUNCATE TABLE mysql.proxies_priv;
FLUSH PRIVILEGES;This will wipe out the current proxy privileges.
Afterwards, if you want to restrict proxy privileges, go to the OS and do this:
cd /var/lib/mysql/mysql
chmod -w proxies_priv.*This will prevent new proxy privileges from being created.
GIVE IT A TRY !!!
Code Snippets
TRUNCATE TABLE mysql.proxies_priv;
FLUSH PRIVILEGES;cd /var/lib/mysql/mysql
chmod -w proxies_priv.*Context
StackExchange Database Administrators Q#106444, answer score: 4
Revisions (0)
No revisions yet.