LiraNuna's questions

I want to have a MySQL user that will only able to create a new user+database(+password) combinations - without being the mysql root user for obvious security concerns.

My idea is to have a secure user (INSERT privileges only) that will modify the mysql table directly, but I don't know if there are consequences.

To be clear, I want to create a user that will only be able to generate users+database+password combinations using an automated script that will run using that user. I want that user to operate on the least permissions as possible.

What are my other options?

In the process of moving away from flat configuration files, I'm seeking for the equivalent of AuthzSVNAccessFile directive, using SQL (MySQL preferred).

I am well aware of mod_auth_mysql, but it's for user auth only.

Any idea how I can achieve this?

I'm trying to move away from nasty daemons that write config files and need root access to operate.

I want to store vhosts/domains in an MySQL database, ideally with restricted access. I'm looking for some modules that will be able to dynamically generate vhost config retrieving them using queries.

Some of what I found, and why I can't use it:

• mod_sqltemplate - Exactly what I was looking for, until I realized it needs httpd reload when new vhosts are inserted to the database (meaning an external script/passwordless sudo/nasty daemons/etc)
• mod_sqlinclude - Looks the same as the above, but it's apache1.3 only. I also don't know if it requires httpd reload when new entries are inserted. I tried porting this myself and ended up one function behind.
• mod_vdbh - I can't find any info on that one, but it has some references that shows that is might what I'm looking for
• mod_shapvh - apache1.x only, failed to port it.

It would also be nice if there's a way to read/write bandwidth limit counters into MySQL.

Running on Debian GNU/Linux.

I have recently 'inherited' a tiny bind9 DNS server (64MB RAM running bind9+ssh only) where the zones were crafted using a GUI application then scp'd into the server as root. I didn't really mind that part, but turns out the GUI application made inconsistent serial numbers every edit, resulting in serials such as 1245486432 instead of the 'common' (?) YYYYMMDDSS.

Is there a 'safe' way to increase/decrease the serial number without causing any sort of inconsistencies between DNS servers and caches?

I'm administrating two servers who follow the model of development and production machines.

The production machine is stripped bare-bone software which runs under restrictive set of rules and limited access. The development machine, however, is much more open - developers can ask for mostly anything (with some exceptions) to be installed and they get unlimited amount of MySQL databases for their testing.

However, on both servers, developers have to ask for a new username/password/database combination which is usually accepted on the development machine, and only accepted on the production machine when a web application is finalized, polished, secure and ready to take off.

Is there a way to create each of the developers on the development machine a user with the permission to create (just create, not read/modify/erase) template users with fixed permission set? That way they could create their own new secure set of username/password/database without waiting for me to accept their query.

Our development server is exposed outside (so developers can ssh and work from home) so I don't want to give one user a lot of permissions, due to the experimental nature of the applications hosted on the server. (If the database gets compromised, the best it could do is drop the application database instead of all of the databases user have access to).