关于Mysql是否满足C2级的讨论

====================================================
引自：http://blog.sina.com.cn/s/blog_538a9d1901008f9g.html

什么是C2级安全性？安全性的分类是怎样的？(2008-01-30 17:04:39)
  
D类：最低保护，保留给不能通过更高级别检查的系统

C1：谨慎保护，要求有基于用户级别的控制来保护数据，主要防止意外事件带来的损失，适用于对安全性要求不是太高的系统

C2：权限控制保护：用户对自己的行为负责；系统可以跟踪所有过程和记录某个用户的行为。防止对象重引用，并保证系统安全性监视器的效力。用户可以设定别人对自己数据的权限。

B1：标志安全性保护：要求特别的安全性计划，所有的保密数据都要加一标志，在系统中传递这些数据时必须核对标志。用户不能自己改变这些标志。

B2：结构化保护，要求结构化的、正规的安全性计划。用户账户验证功能增强，以确定每个用户合法的安全性权限。

B3：安全域：要求安全性系统尽可能小，排除一切无权限代码执行。这些代码可能不利于系统的安全性和测试，要求有附加的有关安全性管理的工具。系统必须有很强的反无权改动和侵入。

A1：核实的设计：功能和B3相同，但A1要经过更严格、更正规的测试。

 

=================================================================
关于C2级的官方解释
引自：http://ftp.ntu.edu.tw/ftp/linux/libs/security/Orange-Linux/refs/Orange/OrangeI-II-2.html

2.2 CLASS (C2): CONTROLLED ACCESS PROTECTION
Systems in this class enforce a more finely grained discretionary access control than (C1) systems, making users individually
accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation. The 
following are minimal requirements for systems assigned a class (C2) rating:

Security Policy
Discretionary Access Control
The TCB shall define and control access between named users and named objects (e.g., files and programs) in the ADP system. 
The enforcement mechanism (e.g., self/group/public controls, access control lists) shall allow users to specify and control 
sharing of those objects by named individuals, or defined groups of individuals, or by both, and shall provide controls to 
limit propagation of access rights. The discretionary access control mechanism shall, either by explicit user action or by 
default, provide that objects are protected from unauthorized access. These access controls shall be capable of including or 
excluding access to the granularity of a single user. Access permission to an object by users not already possessing access 
permission shall only be assigned by authorized users.

根据C2级的解释，C2级系统应能提供可控制的访问保护，即将C1级的自主存取控制(DAC)进一步细化，要求每个访问用户需要为其贯穿登录期间的行为负责，
并可进行审计和资源隔离。而根据Mysql官网最新文档，其安全存取机制级别涵盖了C2级自主存取控制(DAC)；甚至包括可定制的强制存取控制(MAC)
(可定制的MAC内容见维普期刊《计算机与现代化》2009年第9期《强制访问控制在提高MySQL安全性上的应用》)。

 

=================================================================
以下内容引自Mysql官网文档：http://dev.mysql.com/doc/refman/5.1/en/request-access.html

The MySQL Permission Model

In order to fully implement a secure MySQL database, it is necessary to learn the MySQL access control system (your friends the GRANT and REVOKE commands). There are four privilege levels that apply:

Global: these privileges apply to all databases on a server.
Database: these privileges apply to all tables in a database.
Table: these apply to all columns within a table.
Column: these apply to individual columns in a table.
The usage of these commands is varied:

GRANT priv_type [(column_list)] [, priv_type [(column_list)] ...]
    ON {tbl_name | * | *.* | db_name.*}
    TO user_name [IDENTIFIED BY [PASSWORD] 'password']
        [, user_name [IDENTIFIED BY 'password'] ...]
    [REQUIRE
        NONE |
        [{SSL| X509}]
    [CIPHER cipher [AND]]
    [ISSUER issuer [AND]]
    [SUBJECT subject]]
    [WITH [GRANT OPTION | MAX_QUERIES_PER_HOUR # |
                          MAX_UPDATES_PER_HOUR # |
                          MAX_CONNECTIONS_PER_HOUR #]]

REVOKE priv_type [(column_list)] [, priv_type [(column_list)] ...]
    ON {tbl_name | * | *.* | db_name.*}
    FROM user_name [, user_name ...]
The privileges can get very granular, so it is important that they are used in a well planned fashion. The types of privileges include:

Alter
Delete
Create
Drop
Execute
Select
Update
Once a database is completely set up, these privileges should be reviewed prior to going to any usage of the database to ensure that the privileges were set up appropriately.

For instance, if you wanted to limit the alter privilege only to the user kristyw for table called CreditCards, you would use the command as follows:

Mysql> GRANT alter on CreditCards to kristyw
Mysql> IDENTIFIED by "password";
This could take some time if multiple privileges for the same user are to be added. In this case, wildcards can be used, but use caution in doing so! You never want to add more privilege than is necessary or intended. Further, if a user account is compromised, then the use of blanket permissions to numerous hosts can open up unexpected trust relationships between systems. Additionally, if the hostname is left blank for connections, which also effectively works as a wildcard [7].

For example, say the user kristyw should now have all the privileges to everything in the database, as well as be required to connect to the database via an SSL connection:

Mysql> GRANT all on *.* to kristyw
Mysql> IDENTIFIED by ‘password’ REQUIRE SSL;
The wildcards that apply with the GRANT and REVOKE permissions include the “*”, which when used with grant privileges to *.* indicates global permissions, the “_”’, which if not used with a “/” in front of it (as in “/_”) could unintentionally indicate access to other databases, and lastly, the “%” can be used in hostnames.

Another privilege that can be assigned controls via GRANT and REVOKE is the PROCESS privilege, which should be restricted to only appropriate users. When used in the format: “mysqladmin processlist”, disclosure of password information is possible. This is especially true if the user excecuted the query with the syntax of “UPDATE user SET password=PASSWORD(‘not_secure')” in their query. Furthermore, restrict the use of the FILE privilege. This privilege allows the assigned user to write a file wherever the mysqld daemon has privileges too. In addtion, the FILE privilege can be used to view any file within the UNIX filesystem that the user has privileges to [7].

以上解释指出了Mysql可通过Grant(授权)和Revoke(回收)，来实现4级授权访问权限(four privilege levels)：全局(Global)、数据库级别(Database)、
表级别(Table)、列级别(Column)。

 

=================================================================
以下内容引自Mysql网站：http://lists.mysql.com/soc/83

AFAIK, from it's creation and to present moment MySql server uses
discretionary access control system to control permissions of users.
So, usual inconveniences of DAC (mainly administration difficulties)
affect MySql server too.

从诞生到现在，Mysql服务器都在使用自主存取控制机制(DAC，discretionary access control system)
去控制用户权限。

=================================================================
以下内容引自：《第四章 数据库安全性》 http://www.quanwen.com.cn/doc/1685103/
《数据库系统概论》：http://jingpinke.syict.edu.cn/sjkyl/%D7%CA%C1%CF/%B5%DA9%D5%C2DataBase.ppt

常用存取控制方法
- 自主存取控制(DAC,Discretionary Access Control)
  如：C2级  灵活
- 强制存取控制(MAC,Mandatory Access Control Control)
  如：B1级  严格

自主存取控制方法 - C1、C2级 (Grant & Revoke)
- 用户对于不同的数据对象有不同的存取权限
- 不同的用户对同一对象也有不同的权限
- 用户还可将其拥有的存取权限转授给其他用户
- 定义存取权限
 即定义一个用户可以在哪些数据对象上进行哪些类型的操作在数据库系统中，定义存取权限称为授权
 
强制存取控制方法 -  B1级
- 每一个数据对象被标以一定的密级
- 每一个用户也被授予某一个级别的许可证
- 对于任意一个对象，只有具有合法许可证的用户才可以存取

 

 

以上是关于Mysql是否满足C2级的讨论，希望抛砖引玉，不吝赐教！