Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2011-08-04 21:29:22
- ande
- Member
- Registered: 2007-01-21
- Posts: 25
Remind user to grant more permissions for MySQL user when updating
Usually, I strip the permissions of the MySQL user down to SELECT, INSERT, UPDATE and DELETE for security reasons. This is a bad thing when trying to update Textpattern, as TXP may not modify / add new table fields and so on.
Solution: Whenever a Textpattern update is recognized by Textpattern and the appropriate permissions are not available for the database user, the upgrade should be put “on hold” until the issue is resolved. Textpattern should display some notice about that and stop the upgrade..
Wouldnt that be neat? :-)
Offline
Re: Remind user to grant more permissions for MySQL user when updating
ande wrote:
Wouldnt that be neat? :-)
Yes it would be neat if you ask me :) There has been some problems, not much but some, on these forum with updating in the past, some which might have been caused by same reasons as yours.
That said, wondering if something like this could be used:
--- /textpattern/update/_update.php 2011-08-05 04:15:12.000000000 +0300
+++ /textpattern/update/_update.patch.php 2011-08-05 04:55:22.000000000 +0300
@@ -22,6 +22,22 @@
if ( $txp_using_svn && (newest_file() <= $dbupdatetime) )
return;
+ $require_db_privs =
+ array(
+ 'INSERT',
+ 'UPDATE',
+ 'DELETE',
+ 'CREATE',
+ 'DROP',
+ 'INDEX',
+ 'ALTER'
+ );
+
+ if(($r = getThing('SHOW GRANTS')) && $r != false && $r = explode(', ', strtoupper($r)))
+ foreach($require_db_privs as $priv)
+ if(!in_array($priv, $r))
+ die('Can not update. Please grant '.implode(', ', $require_db_privs).' privs to Textpattern\'s database user and try again.');
+
@ignore_user_abort(1);
@set_time_limit(0);Small change to _update.php which would kill the page if the database user doesn’t have required privs. Don’t really know about backwards compatibility MySQL-wise tho.
Last edited by Gocom (2011-08-05 02:06:11)
Offline
Re: Remind user to grant more permissions for MySQL user when updating
ande wrote:
Usually, I strip the permissions of the MySQL user down to SELECT, INSERT, UPDATE and DELETE for security reasons.
I’m curious why you think this would improve security.
I believe that once an attacker has gained access to your SQL server, she can introduce any malware by simply INSERTing code into txp_plugins, no matter whether she has been granted MODIFY permissions or not.
Offline
Re: Remind user to grant more permissions for MySQL user when updating
wet wrote:
I believe that once an attacker has gained access to your SQL server, she can introduce any malware by simply INSERTing code into txp_plugins, no matter whether she has been granted MODIFY permissions or not.
MySQL has table level permissions.
Offline
Re: Remind user to grant more permissions for MySQL user when updating
Sure, but you need update privs on txp_prefs, I think, and because of that you can allow PHP in articles and you need to be able to change articles, so you can then insert PHP code there. You don’t need the ability to change the plugins table.
And for that matter, the value of a website is also in the content, so DELETE permissions on the main table is enough to cause problems (if you don’t have backups). This of course requires a way to execute such an SQL query, which isn’t possible through TXP if TXP doesn’t have any vulnerabilities.
Offline
Re: Remind user to grant more permissions for MySQL user when updating
ruud wrote:
Sure, but you need update privs on txp_prefs, I think
Yes you do. At least because of the collapsing headers, last-mod header (if used) and list sorting options, even if you don’t plan updating preferences.
Not that I would use it either as a security feature. To disable interface options, sure where the set areas don’t have sub-permissions and just hiding set element isn’t enough, altho it’s as easily done with just couple lines of PHP in most cases.
I still think it could be nice if the updater checked the permissions before trying to update, preventing anything bad from happening, because of missing permissions.
Last edited by Gocom (2011-08-05 08:07:48)
Offline
Re: Remind user to grant more permissions for MySQL user when updating
Or perhaps we should check if the query succeeded instead of returning an error. Because even if you have permission to do something, it could still fail.
Offline
Re: Remind user to grant more permissions for MySQL user when updating
ruud wrote:
Or perhaps we should check if the query succeeded instead of returning an error. Because even if you have permission to do something, it could still fail.
To be honest, going by good practices that’s something that should be done for every query without exception, and especially when running an updater or other heavier task that could do greater deal of damage.
In case of the updater, maybe it could be combination of both. Gives the user more of an idea what’s causing the issue.
Offline