[debian-mysql] Backporting the mysql_no_login plugin

[Honza Horak]

That sounds fine to me, +1 for back-porting to 5.6.

Honza

On 10/24/2014 09:49 AM, Norvald H. Ryeng wrote:
> Hi package maintainers,
>
> We have a new plugin in MySQL 5.7 that makes it possible to have
> accounts that can't log in:
>
> CREATE USER foo at localhost IDENTIFIED WITH 'mysql_no_login';
>
> The mysql_no_login plugin simply denies all login attempts. This is
> useful for users that are created, e.g., to serve as proxy users, or
> as owners of stored programs/functions, views or events.
>
> This new plugin doesn't fix known security defects in the server, but
> does provide new and better means to harden security. Best practices
> for security include application of least-required privileges, and in
> some cases, that means no client connections for privileged
> accounts. This new plugin provides means to implement such
> restrictions in a standard way.
>
> Because of the security benefits, we'd like to discuss backporting it
> to 5.6. Like you, we don't like big changes to GA releases, but this
> time we think it has a good use case, it's safe and has a very low
> risk of regressions:
>
>   - Since this is a plugin, it doesn't touch server code
>   - All new code is in a plugin that must be enabled explicitly by the
>     DBA
>   - The code itself is very simple. It's only one line of "real" code
>     (unconditionally return authentication failure), plus necessary
>     plugin plumbing to fill out the plugin API.
>
> If we backport this to 5.6, there are multiple ways to avoid it:
>
>   - Apply a patch from us to remove the plugin
>   - Don't build it
>   - Build it, but don't ship it
>   - Build and ship it, but don't use it (in any case, the DBA has to
>     enable it and alter the user accounts to use it)
>
> So what do you think about backporting this? The only thing you'll
> notice is one more file in the plugins directory.
>
> Regards,
>
> Norvald