Allow external access to specific user in MariaDB 10.3 - mariadb
I'm trying to configure a limited external access to MariaDB 10.3
What I want
The user can only access to a view from an external access but shouldn't be able to be connected as root even if he has the password.
Initial configuration
Using the default forge configuration we start with theses users:
$ mysql -u root -p
> use information_schema;
> select * from user_privileges;
Full result: https://pastebin.com/kNNVUjrz
TLDR;
Two root users:
root accessible from : [localhost, 127.0.0.1, ::1, 51.99.999.101*, %]
forge accessible from : [51.99.999.101*, %]
One weird user:
debian-sys-maint accessible from : [localhost]
.* This is obviously a fake public ip
Configuration I want
root accessible from : [localhost, 127.0.0.1, ::1, 51.99.999.101]
forge accessible from : [localhost, 127.0.0.1, ::1, 51.99.999.101]
dummyuser accessible form : [%]
The problem
When I remove the user 'forge'#'%' but keep 'forge'#'localhost', the user (dummyuser) has no more privileges.
ERROR 1045 (28000): Access denied for user 'dummyuser'#'%' (using password: YES)
Details of what I did
connected through SSH to the server
$ mysql -u forge -p
> create database mydb;
> create view mydb.v as select user();
> create user dummyuser identified by 'password';
> grant select on mydb.v to dummyuser;
> select * from information_schema.user_privileges where grantee like '%dummyuser%';
GRANTEE: 'dummyuser'#'%'
TABLE_CATALOG: def
PRIVILEGE_TYPE: USAGE
IS_GRANTABLE: NO
Connected through my local PC
$ mysql -u dummyuser -h 51.99.999.101 -p
> select * from mydb.v;
Returns what we want: dummyuser#adsl-178-xx-xxx-123.adslplus.ch
But now when I delete the user 'forge'#'%' through SSH (with root this time):
Important Note: Doing this step before creating the dummyuser did not solve the problem.
$ mysql -u root -p
> drop user 'forge'#'%';
> create user 'forge'#'localhost' identified by 'passowrd';
> grant all privileges on *.* to 'forge'#'localhost' with grant option;
> flush privileges;
Here come the problem: When I logon with dummyuser and try again:
$ mysql -u dummyuser -h 51.99.999.101 -p
> select * from mydb.v;
ERROR 1045 (28000): Access denied for user 'dummyuser'#'%' (using password: YES)
Start by finding out what rows exist in the grant tables. It looks like you may have done such, but let's do it two steps:
SELECT user, host FROM mysql.user;
Then, for each of those, do (with ... appropriately filled in):
SHOW GRANTS FOR '...'#'...'
Now take the GRANT ... TO ... statements that that produced, turn them into REVOKE ... FROM ... (and remove the password clause).
Run those REVOKEs plus any new GRANTs you need. But be sure that a typo does not lock you out. Stay connected while you connect elsewhere and check the results.
With the help of #rick-james I got a working case.
I had to (re)create a user 'forge'#'%' with the same restricted access than 'dummyuser'#'%'.
'forge'#'localhost' keep is privileges root
> show grants for root#localhost;
GRANT ALL PRIVILEGES ON *.* TO 'root'#'localhost' IDENTIFIED BY PASSWORD '*****' WITH GRANT OPTION
GRANT PROXY ON ''#'%' TO 'root'#'localhost' WITH GRANT OPTION
> show grants for forge#localhost;
GRANT ALL PRIVILEGES ON *.* TO 'forge'#'localhost' IDENTIFIED BY PASSWORD '*****' WITH GRANT OPTION
> show grants for 'forge'#'%';
GRANT USAGE ON *.* TO 'forge'#'%' IDENTIFIED BY PASSWORD '*****'
GRANT SELECT ON `mydb`.`v` TO 'forge'#'%'
> show grants for 'dummyuser'#'%';
GRANT USAGE ON *.* TO 'dummyuser'#'%' IDENTIFIED BY PASSWORD '*****'
GRANT SELECT ON `mydb`.`v` TO 'dummyuser'#'%'
Now when I create dummyuser3#% with the user forge#localhost and grant him: grant select on mydb.v to dummyuser3; the dummyuser3 will be able to select the view.
In case a user get access to forge#%, because of the restriction, it will only be able to select the view. Which is an acceptable solution.
[Edit] It works with THIS scenario: create view mydb.v as select user();
In a real world, my view is based on an another table. In that case, the user 'forge'#'%' also needs the privilege to select on that table.
This is a less acceptable solution. But that's the only one I got.
In definitive, the question is still open
Related
Why does mariabackup always give me access denied?
Context Running MariaDb 10.6.7 on Windows 11. Trying to use mariabackup to do a partial backup of my database. Database, target backup folder and backup process all on the same PC. Issue In a batch file I have this: cd C:\"Program Files\MariaDB 10.6\bin" mariabackup --backup --target-dir='D:\OneDrive\Backups\MariaDb' --databases-exclude="*test" --user=root --password=myPasswordWithNoQuotes Which keeps giving me the response: Failed to connect to MariaDB server: Access denied for user 'root'#'localhost' (using password: YES) Things I've checked Running the batch file as administrator root has full priviliges Password is correct - checked by logging into root with MySQL Workbench and MySQLClient and HeidiSQL. Question How do I set access rights so that the backup can proceed?
When I changed the root password to something simple everything worked. So it looks like the issue was a special character in the password (a % character perhaps) or the way that the password parameter was formed in the mariabackup command.
How can I fix this login error in MariaDB?
I recently install MariaDB and use DB but it has error on login I check my plugin root localhost mysql_native_password Enter password: ERROR 1698 (28000): Access denied for user 'root'#'localhost' How can I fix??
Recent versions of MariaDB will authenticate users via unix_socket plugin when connecting via unix_socket (localhost). So if you need to connect as root, just do a $ sudo mysql and enter password afterwards.
phpMyAdmin Cannot log in to the MySQL server on Centos 7
I installed mysql-community-server-8.0.13-1.el7.x86_64 on Centos 7 with Nginx, and added the phpMyAdmin to manage the databases but I keep getting error Cannot log in to the MySQL server from phpMyAdmin. I've tried the following and have been struggling for a few days now: Changed some of the parameters (suggested on stackoverflow) located on /etc/phpMyAdmin/config.inc.php like the following but no luck: $cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['connect_type'] = 'socket'; $cfg['Servers'][$i]['socket'] = '/var/lib/mysql/mysql.sock'; $cfg['Servers'][$i]['user'] = 'root'; $cfg['Servers'][$i]['password'] = 'password'; I've tried mysql shell, and I'm able to login with root and other users. But, I have no idea why it fails on phpMyAdmin. Please help and thanks!
I was able to resolve this by doing the following: (I should mention that this solution works for MySQL 8.0.13 and phpMyAdmin 4.8.4 - Both, latest version today) 1- I edited config.inc.php with these server parameters (only): /*** This is needed for cookie based authentication to encrypt password in cookie. Needs to be 32 chars long. */ $cfg['blowfish_secret'] = 'generate_your_blowfish_secret_32_chars'; /* Authentication type */ $cfg['Servers'][$i]['auth_type'] = 'cookie'; /* Server parameters */ $cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['AllowNoPassword'] = false; 2- On MySQL terminal //Create a new user: mysql> CREATE USER 'user'#'localhost' IDENTIFIED BY 'your_password'; //Grant all privileges: mysql> GRANT ALL PRIVILEGES ON *.* To 'user'#'localhost' WITH GRANT OPTION; //Flush all privileges: mysql> FLUSH PRIVILEGES; //Change authentication_string with password: mysql> ALTER USER user IDENTIFIED WITH mysql_native_password BY 'your_password'; //Login with the new user and password! This should allow you to login into phpMyAdmin. I hope this help!
This work for me : sudo mysql ALTER USER 'root'#'localhost' IDENTIFIED WITH mysql_native_password BY 'YourNewPassword';
On CentOS 7, I had to: uncomment the "default-authentication-plugin=mysql_native_password" line in /etc/my.cnf (then systemctl restart mysqld) ALTER USER 'user'#'localhost' IDENTIFIED WITH mysql_native_password BY 'your-password'; A minor tweak on the accepted answer from Jacman above. I had tried everything else, but was missing the 'WITH mysql_native_password' clause
Debian Stretch MariaDB cannot authenticate from PHP application
I'm using a fresh installation of Debian Stretch, and installed PHP7 and MariaDB as recommended: sudo apt-get install nginx mariadb-server mariadb-client php-mysqli php7.0-fpm php7.0-curl Then using sudo mysql_secure_installation I followed the prompts to remove test users etc. MariaDB seems to use unix_socket authentication (which is a new concept to me). I like how it restricts root access to sudoers and allows me to grant DB permissions to specific OS users. However I'd prefer to assign individual user/passwords for each web application running on the server. They all run as www-data user on the system and I see no reason to let them share databases. So I created a user for my first PHP script and granted access to a new database: CREATE USER 'telemetry'#'localhost' IDENTIFIED BY 'yeah_toast'; UPDATE mysql.user SET plugin='mysql_native_password' WHERE user='telemetry'; GRANT ALL PRIVILEGES ON telemetry TO 'telemetry'#'localhost'; FLUSH PRIVILEGES; But it refuses to let me connect from the application: [error] 19336#19336: *20 FastCGI sent in stderr: "PHP message: PHP Warning: mysqli::real_connect(): (HY000/1045): Access denied for user 'telemetry'#'localhost' (using password: YES) in /path/to/database.inc.php on line 30 The credentials I'm using from the application are as follows: Host: localhost (also tried 127.0.0.1) Username: telemetry Password: yeah_toast Database: telemetry I tried deleting and re-creating the username in case it was a password problem, and creating a user #'localhost' and #'%' but none seem to work. In fact when I log in using the same credentials from the command line without sudo it works great (mysql -utelemetry -p). Am I missing a MariaDB configuration step here?
How to verify if SFTP access has been granted on a server
How can we verify that SFTP access has been granted on a server, without installing any software/tools?
Most servers have curl and scp installed, which you can use to log into an SFTP server. To test if your credentials work using curl, you could do this: $ curl -u username sftp://example.org/ Enter host password for user 'username': Enter your password and if it works you'll get a listing of files (like ls -al), if it doesn't work you'll get an error like this: curl: (67) Authentication failure You could also try using scp: $ scp username#example.org:testing . Password: scp: testing: No such file or directory This verifies that you that you were able to log in, but it couldn't find the testing file. If you weren't able to log in you'd get a message like this: Permission denied, please try again. Received disconnect from example.org: 2: ...error message...
One of the many ways to check for SFTP access using password based authentication: sftp username#serverName or sftp username#serverIP And then entering password. You will get "Permission denied, please try again." message if it fails otherwise you will be allowed inside the server with screen- sftp> You can test it fully works with commands like ls, mkdir etc.
Try logging in. Not being snarky -- that really is probably the simplest way. By 'verify[ing] that SFTP access has been granted," what you're really doing is checking is a particular l/p pair is recognized by the server.
Alternatively, other than doing the "sftp -v" command mentioned above, you can always cat the SSH/SFTP logs stored on any server running sshd and direct them to a file for viewing. A command set like the following would work, where 1.1.1 would be the /24 of the block you are trying to search. cd /var/log/ cat secure.4 secure.3 secure.2 secure.1 secure |grep sshd| grep -v 1.1.1> /tmp/secure.sshd.txt gzip -9 /tmp/secure.sshd.txt
G'day, What about telnet on to port 115 (if we're talking Simple FTP) and see what happens when you connect. If you don't get refused try sending a USER command, then a PASS command, and then a QUIT command. HTH cheers,
In SFTP , the authentication can be of following types : 1. Password based authetication 2. Key based authentication But if u r going for key based authentication then u have to prepare setup according to that and proceed the login procedure.If the key based authentication fails it automatically asks for password means it automatically switches to password based mode. By the way if u want to verify u can use this on linux : "ssh -v user#IP " It will show u all the debug messages , and if the authentication is passed u will be logged in otherwise u will get "Permission denied". Hope this will help u.