Profile cover photo
Profile photo
Hans Wolters
2,776 followers
2,776 followers
About
Communities and Collections
View all
Posts

Post has attachment

Post has attachment
Enjoy ;-)

Post has attachment
Type 405 Weizenmehl. It might not be as good on the inside as it looks on the outside.
Photo

Post has attachment
PhotoPhotoPhotoPhotoPhoto
3/11/17
5 Photos - View album

Post has attachment
My first Weizen brot.
Photo

Post has attachment
My first take at making baguettes... (edit, thanks dupiment.)
Photo

Post has attachment
At least let us have some fun in these dark days :-)
Photo

Shouldn't we stop fooling people, ourselves included?

GRANT ALL ON dbname.* to 'compute01'@'hostname' IDENTIFIED BY 'NOVA_DBPASS' REQUIRE SSL

I had some real discussions about wordpress, drupal, joomla and other cms based systems lately. It seems those cms based systems are not the only ones that are a danger for real exploits.

Let me explain. In the early 2000 years I had a discussion with someone who worked at one of the larger isp's in the Netherlands. It was about granting privileges on mysql databases. My point was to offer them grant privileges on their own databases so they would be able to work with different ones for their visitors, their admins or even their contributors.

The lack of knowledge made them decide to simply grant privileges to a database but not grant grant rights on it. This caused people to work with one account only, this is where the problem started.

Imagine visiting a dynamic site. The web-server fork is getting data from a database using one user, in those days it was called user nobody, these days we tend to have user www-data for it.
The scripts would simply connect to a database for one user, it might have a difficult password but it grants you access to all tables, all procedures.

What would happen if we start using different users depending on what kind of user is visiting a website? Well, we could start to grant users less privileges. An example:

Grant read rights on the article table
Grant read rights on the user table
Grant read rights on the foo table

It would grant the normal visitor rights to see the content, not altering it.

Why the hell would we need something like that?

We simply need it. Why offer an ATM to change your card, why offer user nobody to access admin tables?

What worries me is software like openstack that is simply using the same privileges. Why the fuck do we grant all on foo@bar and let others connect to it? Please, fix this.

Some more issues;

GRANT ALL on dbname.* to 'compute01'@'hostname' IDENTIFIED BY 'NOVA_DBPASS' REQUIRE SUBJECT '/C=XX/ST=YYY/L=ZZZZ/O=cloudycloud/CN=compute01' AND ISSUER '/C=XX/ST=YYY/L=ZZZZ/O=cloudycloud/CN=cloud-ca';


There is no need for a grant all. I can always help you to be more secure :-)

Funny, after an update of the firmware of my dsl router or a kernel update I wasn't able to reach security.debian.org anymore when using apt. After some research I found some articles about setting the presedence in /etc/gai.conf.

precedence ::ffff:0:0/96  100

This helped but I am wondering what triggered it to only look at ipv6. Anyone? And is there a better solution to fix this? I know I should start using ipv6 but I need some time to make the switch.

Post has attachment
Wait while more posts are being loaded