0

Let's say I have two users on my UNIX machine - user1 and user2. I also have two MySQL databases - db1(mysql_user1) and db2(mysql_user2).

I want to prevent user1 from connecting to db2 even if it uses mysql_user2 credentials. I hope it is possible to do it.

mik
  • 115
  • 4
  • Are there two MySQL processes listening on different ports / IP addreses? Or is there just one MySQL process, with two different databases? – MadHatter Feb 10 '11 at 15:17
  • Are you really having a problem with this or are you just overthinking? If you're overthinking, then its time to stop because you've gone too far. – deltaray Feb 10 '11 at 15:37
  • I'm not having any serious problems with that. I just want to separate them the most safe way. It's just one MySQL process, but it's possible to open another one on another port. How may it help me? – mik Feb 10 '11 at 18:04

2 Answers2

1

If you really want to do this, you could run two separate instances of MySQL, one for each database. Then

  1. Stop connections to MySQL via socket, and require them all to be by the network interface; let us assume database1's listener is on port 3307, and database2's is on 3308 (MySQL normally listens on 3306).
  2. Prevent user1-owned processes from connecting to database2's TCP listener, with something like:

iptables -A OUTPUT -p tcp --dport 3307 -o lo -m owner --uid-owner user1 -j REJECT

I'm not advocating this, but if you really, really want to make a user unable even to talk to the wrong database, much less to authenticate to it, this should work.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
0

If the credentials are compromised, there is no way to prevent access to whatever user2 has permissions to.

PG Puters
  • 111
  • 3
  • They are not compromised, I just have two virtual hosts on the machine. One for production and one for testing. I don't want test user to connect to production database by mistake – mik Feb 10 '11 at 14:55