Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2011-08-04 21:29:22

ande
Member
Registered: 2007-01-21
Posts: 25

Remind user to grant more permissions for MySQL user when updating

Usually, I strip the permissions of the MySQL user down to SELECT, INSERT, UPDATE and DELETE for security reasons. This is a bad thing when trying to update Textpattern, as TXP may not modify / add new table fields and so on.

Solution: Whenever a Textpattern update is recognized by Textpattern and the appropriate permissions are not available for the database user, the upgrade should be put “on hold” until the issue is resolved. Textpattern should display some notice about that and stop the upgrade..

Wouldnt that be neat? :-)

Offline

#2 2011-08-05 02:03:53

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Remind user to grant more permissions for MySQL user when updating

ande wrote:

Wouldnt that be neat? :-)

Yes it would be neat if you ask me :) There has been some problems, not much but some, on these forum with updating in the past, some which might have been caused by same reasons as yours.

That said, wondering if something like this could be used:

--- /textpattern/update/_update.php	2011-08-05 04:15:12.000000000 +0300
+++ /textpattern/update/_update.patch.php	2011-08-05 04:55:22.000000000 +0300
@@ -22,6 +22,22 @@
 	if ( $txp_using_svn && (newest_file() <= $dbupdatetime) )
 		return;

+	$require_db_privs = 
+		array(
+			'INSERT',
+			'UPDATE',
+			'DELETE',
+			'CREATE',
+			'DROP',
+			'INDEX',
+			'ALTER'
+		);
+
+	if(($r = getThing('SHOW GRANTS')) && $r != false && $r = explode(', ', strtoupper($r)))
+		foreach($require_db_privs as $priv)
+			if(!in_array($priv, $r))
+				die('Can not update. Please grant '.implode(', ', $require_db_privs).' privs to Textpattern\'s database user and try again.');
+
 	@ignore_user_abort(1);
 	@set_time_limit(0);

Small change to _update.php which would kill the page if the database user doesn’t have required privs. Don’t really know about backwards compatibility MySQL-wise tho.

Last edited by Gocom (2011-08-05 02:06:11)

Offline

#3 2011-08-05 04:22:25

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,330
Website Mastodon

Re: Remind user to grant more permissions for MySQL user when updating

ande wrote:

Usually, I strip the permissions of the MySQL user down to SELECT, INSERT, UPDATE and DELETE for security reasons.

I’m curious why you think this would improve security.

I believe that once an attacker has gained access to your SQL server, she can introduce any malware by simply INSERTing code into txp_plugins, no matter whether she has been granted MODIFY permissions or not.

Offline

#4 2011-08-05 04:51:47

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Remind user to grant more permissions for MySQL user when updating

wet wrote:

I believe that once an attacker has gained access to your SQL server, she can introduce any malware by simply INSERTing code into txp_plugins, no matter whether she has been granted MODIFY permissions or not.

MySQL has table level permissions.

Offline

#5 2011-08-05 07:53:01

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Remind user to grant more permissions for MySQL user when updating

Sure, but you need update privs on txp_prefs, I think, and because of that you can allow PHP in articles and you need to be able to change articles, so you can then insert PHP code there. You don’t need the ability to change the plugins table.

And for that matter, the value of a website is also in the content, so DELETE permissions on the main table is enough to cause problems (if you don’t have backups). This of course requires a way to execute such an SQL query, which isn’t possible through TXP if TXP doesn’t have any vulnerabilities.

Offline

#6 2011-08-05 08:02:47

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Remind user to grant more permissions for MySQL user when updating

ruud wrote:

Sure, but you need update privs on txp_prefs, I think

Yes you do. At least because of the collapsing headers, last-mod header (if used) and list sorting options, even if you don’t plan updating preferences.

Not that I would use it either as a security feature. To disable interface options, sure where the set areas don’t have sub-permissions and just hiding set element isn’t enough, altho it’s as easily done with just couple lines of PHP in most cases.

I still think it could be nice if the updater checked the permissions before trying to update, preventing anything bad from happening, because of missing permissions.

Last edited by Gocom (2011-08-05 08:07:48)

Offline

#7 2011-08-05 08:28:21

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Remind user to grant more permissions for MySQL user when updating

Or perhaps we should check if the query succeeded instead of returning an error. Because even if you have permission to do something, it could still fail.

Offline

#8 2011-08-05 09:27:32

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Remind user to grant more permissions for MySQL user when updating

ruud wrote:

Or perhaps we should check if the query succeeded instead of returning an error. Because even if you have permission to do something, it could still fail.

To be honest, going by good practices that’s something that should be done for every query without exception, and especially when running an updater or other heavier task that could do greater deal of damage.

In case of the updater, maybe it could be combination of both. Gives the user more of an idea what’s causing the issue.

Offline

Board footer

Powered by FluxBB