Stop granting SUPER to your application users
Hey y’all, I need to rant a bit about a basic security principle for a minute.
Very often when I’m reviewing permissions for clients, I will find that application users have been granted the SUPER privilege in MySQL.
Please keep reading to find out why you should never do this!
Authorization security
If you have ever had your databases audit, there’s a few things that auditors go through.
Things like: do you have anonymous users, are there users with no passwords, are there users with easy passwords?
They also check what permissions the user has.
That is, what can those users do on your database once they have authenticated?
The Principle of Least Privilege
They do this based on the Principle of Least Privilege.
It’s simple: only give someone the access they need to complete a task.
This is a good idea to mitigate impact of security breaches.
For example, if a reporting user’s credential is exposed, that user shouldn’t be able to drop the database!
MySQL SUPER privilege
I mention this because it’s not uncommon for me to find application users with the SUPER privilege.
If you look at MySQL’s documentation on the SUPER privilege, all the things that it allows won’t fit on a screen. An application user doesn’t need all of that!
It is a clear violation of the Principle of Least Privilege to give your application users this.
So why do I keep finding application users with the SUPER privilege in MySQL?
I honestly don’t know. Laziness I suppose.
It’s like someone just granted all privileges to the user and it worked fine.
But it’s dangerous, and not just from a security perspective.
The SUPER privilege also allows the user to write on MySQL instances that have the read_only flag enabled. This allows a user to make schema changes on the replica.
But in the hands of the application user, it can lead to data discrepancies and broken replication chains.
Also, MySQL reserves one connection above the max_connections setting that would enable a user with SUPER to log in and stabilize the system.
If your application user is eating up that connection, you won’t have many choices besides restarting or killing MySQL.
These are just two examples of where the SUPER privilege is a problem.
Cloud Databases as a Service (DBaaS) offerings like AWS RDS and Google CloudSQL disable the SUPER privilege precisely because it’s so broad.
SUPER is deprecated in MySQL 8.0
MySQL recognizes the problem because in MySQL 8.0, the SUPER privilege is deprecated!
Conclusion – Stop granting SUPER
Data Guardians will do themselves a favor.
Follow AWS, Google, and MySQL’s example and step up your database security game by following the Principle of Least Privilege.
Whatever you do, stop granting SUPER privilege to your application users!
Pingback: Data Security Basics - DistributedDBA developing Data Guardians