The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
are vb database permissions safe?
Hi
vBulletin support inform me that the vbulletin user needs almost all permissions on its the vbulletin database, apart form GRANT and those associated with views. I am pretty ignorant re security, but doesn't this mean that by default, should someone hack vbulletin, they can do almost anything do the underlying database? Does the default user really need this much power? Can someone reassure me as to why this isn't dangerous please? Thanks very much, Mike |
#2
|
||||
|
||||
Yes, the mysql user that is assigned to the database does need to have all permissions granted. You may create a unique mysql user that is only to be used for that database. If someone manages to hack your server and get to your database, then you have bigger issues than worrying about just your vbulletin database. It is strongly suggested you make at least a daily database backup.
|
#3
|
||||
|
||||
He said he was talking about database permissions, so I assumed he meant the mysql database user needing all permissions to the database. If that isn't it, he can always come back and clarify what he means.
|
#4
|
|||
|
|||
Thanks both
Yes - Lynne is correct (was my original email not reasonably clear?!). It still seems odd to me. I take Lynne's point, but I know that at my previous workplace I would never have been allowed to create a web application user with so many permissions for normal everyday use. The DBAs and system people wouldn't have allowed it. Perhaps they are overly paranoid - I really don't understand security enough to know! Thanks again, Mike --------------- Added [DATE]1414009829[/DATE] at [TIME]1414009829[/TIME] --------------- Actually it could have been clearer, I guess! |
#5
|
||||
|
||||
Which database permissions are you overly worried about, and why?
|
#6
|
|||
|
|||
Hi Zachery
Things like DROP, ALTER and CREATE bother me - perhaps unnecessarily, as I seem to be the only one! GRANT seems dodgy too (and since you said before it wasn't used, I will remove it). But it does seem to me that in normal use (ie - a logged in user making and reading posts) the vBulletin app needs to do CRUD, but not much else. Doing updates and maintenance tasks clearly need more - but I would have expected a separate user with increased perms used for only those processes that need it. I can't help wondering if this is an issue, as previous colleagues who know more than I have insisted on using accounts with the minimal perms for the tasks in hand, and have claimed this is more secure. And, not being funny, but vB seems quite prone to security breeches... which is another reason why this seems suspiciously lax to me. But as I said - I know very little about security and how that sort of stuff works - so am happy to accept I am probably wrong. cheerio, Mike |
#7
|
|||
|
|||
@Anolian, you bring up some good points and correctly so. I am sure many of us have increased the security of vBulletin per our particular hosting environment, but vBulletin must write their software to run on a multitude of hosts and environments. This alone complicates the issue of security and ease of installation, let alone an advanced permission install.
As you have stated above, I believe you should not rely on PHP level permissions to control sensitive database options. As you have already figured out the solution for this is quite simple, it just makes it -- in my opinion -- too difficult for fist time users of the software and some of the environments out there. The modification system (which beginners use extensively) would be impossible to support. Anyway, good post. I liked it Not that I know, but I am sure this is part of the thinking in the vb5 cloud release, you noticed they dropped the user API system for the release. Makes sense to me. |
#8
|
||||
|
||||
We use drop, create and alter, in the upgrade/maintenance/scheduled tasks.
|
#9
|
|||
|
|||
@tbworld
Thanks for your comments. I take your points, but I still think vB could manage with 2 users, one with insert/update/delete on appropriate tables to allow users to register and contribute, with another with the more risky alter/drop/etc privileges. @Zackery I realise you use those permissions for admin tasks. My point was that they could be implemented in a more sophisticated manner (as is usually recommended), and that the security of the vB product might be improved as a result. Cheerio! |
#10
|
|||
|
|||
Quote:
How much safer this all is... well that is a bigger debate. |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|