Hi Bob, You're right, if the database user only has read access then no damage can be done to the tables, but it's still a problem if a malicious user can execute arbitrary queries.
In BioMart we do clean all user input, so SQL injection would be impossible against the system. -jack From: Bob MacCallum <[email protected]<mailto:[email protected]>> Date: Tue, 5 Jul 2011 16:41:11 -0400 To: Joachim Baran <[email protected]<mailto:[email protected]>> Cc: BioMart Users <[email protected]<mailto:[email protected]>> Subject: Re: [BioMart Users] mod_security / SELinux and sql injection... Just curious, and perhaps naive... what can an attacker achieve if biomart is using a read-only database user? (Or is read-write needed for session storage or something? [I am not a current biomart instance admin.] Even so, you could lock down the privileges sufficiently to prevent any nefarious activity...?) On Tue, Jul 5, 2011 at 4:38 PM, Joachim Baran <[email protected]<mailto:[email protected]>> wrote: Hi! On 11-07-05 11:17 AM, "Julian Selley" <[email protected]<mailto:[email protected]>> wrote: I wondered if any of the users out there had any experience with either configuring SELinux or mod_security to work with a biomart installation. Are you using BioMart 0.7 or 0.8? At Manchester, the pubmed2ensembl56.smith.man.ac.uk<http://pubmed2ensembl56.smith.man.ac.uk> server runs BioMart 0.7 under SELinux and as far as I remember, I only had to create some custom modules to allow for outgoing connections in order to query NCBI's eutils. You can create SELinux policy modules as described here: http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01 If you get in touch with Casey in Manchester, then he should be able to direct you to his internal wiki where I have described the workflow to create custom policy modules step-by-step. If you are using BioMart 0.8, then you also should be able to create the SELinux policy modules as described above. You might have to iterate the process up to 5 times before you have created enough policies that allow the server to function correctly. Unfortunately, this process cannot be optimised, because each time you grant the server a bit more rights, it will proceed a tad further before running into another violation. Policy creation has to be done iteratively. Joachim
_______________________________________________ Users mailing list [email protected] https://lists.biomart.org/mailman/listinfo/users
