Add utility command to spawn shell/REPL #44

Open
opened 2024-08-08 10:29:52 +02:00 by oysteikt · 1 comment
Owner

People should probably learn how to spawn mysql shells themselves, but considering that the config contains all of the configuration required (host, port, etc.) it might be a nice utility command. It should allow you to specify a user and a database. If the tool does not exist in path, just report an error.

Ensure we drop suid/guid privileges first to avoid any funny business?

People should probably learn how to spawn mysql shells themselves, but considering that the config contains all of the configuration required (host, port, etc.) it might be a nice utility command. It should allow you to specify a user and a database. If the tool does not exist in path, just report an error. Ensure we drop suid/guid privileges first to avoid any funny business?
oysteikt added the
feature request
label 2024-08-08 10:29:52 +02:00
Author
Owner

This is hard if we keep only using the hashed-password-stored-in-mysql type auth plugins, but it's seemingly possible to activate more than one plugin? Ref https://mariadb.com/kb/en/create-user/#identified-viawith-authentication_plugin

One can specify many authentication plugins, they all work as alternatives ways of authenticating a user:

CREATE USER safe@'%' IDENTIFIED VIA ed25519 USING PASSWORD('secret') OR unix_socket;

Could we somehow use our privileged mysql user to access the database, drop privileges, and then forward the connection to the user? Or maybe temporarily activate another authentication plugin, send a token to the client, have it log in using that token, report back, and disable the plugin again?

This is hard if we keep only using the hashed-password-stored-in-mysql type auth plugins, but it's seemingly possible to activate more than one plugin? Ref https://mariadb.com/kb/en/create-user/#identified-viawith-authentication_plugin > One can specify many authentication plugins, they all work as alternatives ways of authenticating a user: > > ```sql > CREATE USER safe@'%' IDENTIFIED VIA ed25519 USING PASSWORD('secret') OR unix_socket; > ``` Could we somehow use our privileged mysql user to access the database, drop privileges, and then forward the connection to the user? Or maybe temporarily activate another authentication plugin, send a token to the client, have it log in using that token, report back, and disable the plugin again?
oysteikt added the
question
label 2024-08-20 18:23:47 +02:00
Sign in to join this conversation.
No description provided.