Web lists-archives.com

Re: When to create a new user?

Am 19.08.2015 um 15:18 schrieb Jim:
On 8/19/2015 8:40 AM, Reindl Harald wrote:

Am 19.08.2015 um 14:29 schrieb Richard Reina:
I am writing a web application in perl that will create, edit, update
delete data from a MySQL database. I have written a perl module that
manage the connections (issue database handles ). As new users sign up
the application should each get their own MySQL username and password
or is
okay to execute their queries with the same (one generic) MySQL username
and password?

one generic for the application

since you normally never ever should connect as root to your application
it even don't have the permissions to add mysql-users

how would you even imagine working with a usertable on your applications
side which is for every user different - chicken/egg

One generic, non-admin user is what you'll find in most apps.

Some developers take the approach of creating several users based on
level of operation and least privilege, particularly for public facing

So, for example, if the operation is to delete data, that might be one
user. Perhaps there is some very sensitive data in the environment and
you'll create a given user for accessing that data and no other user has
access to that data.

Each user is given no greater access than is required based on the
intent of that user.

Then the given script connects with the appropriate user here.

Of course, you should program against and have defenses for db-related
vulnerabilities like SQL-injection, but the thinking with the multiple
users is if you had a script that was vulnerable to some exploit, the
damage would be limited to the privileges of the mysql user used to
connect to your database. It's a bit harder to manage and requires some
more planning up front, but it adds to damage control in case of a db
related exploit. You'd make this call based on how sensitive and
important your data is and how much effort you are willing to put into
the planning and design.

yes, but what has this all to do with "As new users sign up for the application" and create a own mysql-user for each application user?

Attachment: signature.asc
Description: OpenPGP digital signature