[howto] For those who dont like trusts

Started by shaun, April 11, 2005, 06:57:08 PM

Previous topic - Next topic

shaun

One of the things i dont like from a security standpoint is trusts setup between 2 machines.  If one machine is hacked and it has a trust between anyother machines a hacker to see those trusts and use them to gain access to the other machine.

My solution to this problem was to add a user to mysql who had minimal privs to the database/tables and run nt_export_djb on each nameserver.  If any of you want to do this here is a list of grants for mysql 4.0.x that should allow nt_export_djb to import the data.

GRANT USAGE ON nictool.* TO 'remoteuser'@'remoteip' IDENTIFIED BY 'A-strong-password';
GRANT SELECT, INSERT, UPDATE ON `nictool`.`nt_nameserver_export_log` TO 'remoteuser'@'remoteip'
GRANT SELECT, INSERT, UPDATE ON `nictool`.`nt_nameserver_export_procstatus` TO 'remoteuser'@'remoteip'
GRANT SELECT ON `nictool`.`nt_nameserver` TO 'remoteuser'@'remoteip'
GRANT SELECT ON `nictool`.`nt_zone_record` TO 'remoteuser'@'remoteip'
GRANT SELECT ON `nictool`.`nt_zone` TO TO 'remoteuser'@'remoteip'


Abe showed some concern about too many of these processes running and basicaly causing the manager to slow down (because of table locking and load) but if you only have 4 export process running at 5 minute intervals or more i dont think you'll have a problem.  one of my nictool installs that i manage has 80,000 records in the nt_zone_record table and only takes about 1 second or so to run the mysql statment.  I also manage another database (non nictool) that has over 25 million records and a select takes about 2-5 seconds on a 1ghz Celeron with 512 ram and a default mysql install (no optimization from me).


NOTE: I'm not saying you should run your nictool like this, just saying it's another way.  I'm sure others will post there comments and concerns.