SQL instances. Within Eclipse's "Data Source Explorer" I can see the
instances, I can Connect, Navigate and run the sql against the
instance(database). All is good. (While I am logged in as <user A>
Now, I logged out, logged in as a different user <user B>, Still I am
able to do all the above as an authorized user. OK, I logged out of
Google within eclipse, STILL I was able to connect to the Cloud SQL
instance.
In the Google API's console, I have a project which has just only one
user <user A> thats configured as an Owner. Under that project I have
my Cloud SQL instances that I am talking about.
As per the (http://code.google.com/apis/sql/docs/
basic_tasks.html#accesscontrol) "Project roles determine whether a
caller can access an instance in that project", So if I don't have a
user specified within a project, currently he is ABLE to access the
SQL instance within that project.
So all an hacker needs is, my instance and database names for him to
get into it.
ALSO in the same link, "You can create specific MySQL user roles using
the CREATE USER SQL command, but you should be aware that any user
with project-level permissions can log into the database as root and
modify user privileges." SO as per the above hole, an imposter can get
access into the instance and there by get root access into my MySQL
instance.
Am I missing anything?????
Help me to understand.
No comments:
Post a Comment