Shouldn't we stop fooling people, ourselves included?
GRANT ALL ON dbname.* to 'compute01'@'hostname' IDENTIFIED BY 'NOVA_DBPASS' REQUIRE SSL
I had some real discussions about wordpress, drupal, joomla and other cms based systems lately. It seems those cms based systems are not the only ones that are a danger for real exploits.
Let me explain. In the early 2000 years I had a discussion with someone who worked at one of the larger isp's in the Netherlands. It was about granting privileges on mysql databases. My point was to offer them grant privileges on their own databases so they would be able to work with different ones for their visitors, their admins or even their contributors.
The lack of knowledge made them decide to simply grant privileges to a database but not grant grant rights on it. This caused people to work with one account only, this is where the problem started.
Imagine visiting a dynamic site. The web-server fork is getting data from a database using one user, in those days it was called user nobody, these days we tend to have user www-data for it.
The scripts would simply connect to a database for one user, it might have a difficult password but it grants you access to all tables, all procedures.
What would happen if we start using different users depending on what kind of user is visiting a website? Well, we could start to grant users less privileges. An example:
Grant read rights on the article table
Grant read rights on the user table
Grant read rights on the foo table
It would grant the normal visitor rights to see the content, not altering it.
Why the hell would we need something like that?
We simply need it. Why offer an ATM to change your card, why offer user nobody to access admin tables?
What worries me is software like openstack that is simply using the same privileges. Why the fuck do we grant all on foo@bar and let others connect to it? Please, fix this.
Some more issues;
GRANT ALL on dbname.* to 'compute01'@'hostname' IDENTIFIED BY 'NOVA_DBPASS' REQUIRE SUBJECT '/C=XX/ST=YYY/L=ZZZZ/O=cloudycloud/CN=compute01' AND ISSUER '/C=XX/ST=YYY/L=ZZZZ/O=cloudycloud/CN=cloud-ca';
There is no need for a grant all. I can always help you to be more secure :-)