On Mon, 2009-11-23 at 17:40 -0800, Ed Landaveri wrote: > Ladies, gentleman, > > I'm trying to secure a mysql server and according to the MySQL certification guide the file system mysql install directories should be owned by the user/group mysql.mysql. Also the server should be started using NOT the root account but the mysql account which easily can be done by modifying /etc/my.cnf file. > Assuming that /usr/local is the installation if you did install from a tar ball to this directory this must be done: > > chown -R mysql.mysql /usr/local > chmod u =rwx,go=rx /usr/local > chmod u =rwx,go=rx /usr/local/mysql/bin > chmod u =rwx,go=rx /usr/local/mysql/libexec > chmod -R go=rx /usr/local/mysql/data > Also: > chown mysql.mysql /etc/my.cnf > chmod 666 /etc/my.cnf > > Since I installed mysql upon installation and runs a a daemon is the /var/lib/mysql directory the mysql installation directory? Is there any other installation directory that I have to modify ownership, permissions to secure the mysql server? Has anyone done this before? I will really appreciate your answers? Thank you very much. ---- I find much of the logic here flawed including the basic premise that there is a reason to install mysql other than the packaged version. The packaged version of mysql server does indeed start as root and then switches to user mysql for the server and if you find that objectionable, you should be running an LFS system and not a packaged system like Fedora because that is the way basically everything operates on Fedora. Do you actually believe that a tarball compiled version of mysql could ever be as secure as the packaged install with SELinux installed? I wish you good luck on making SELinux happy with your tarball installation and am pretty much convinced that you have disabled SELinux. Also - FWIW Why on earth would you be changing permissions of /usr/local at all? chmod 666 /etc/my.cnf makes absolutely no sense in terms of security whatsoever...do you understand permissions at all? I mean think about it...if the perms are 666 does it even matter who the owner/group are? I don't mean to be unduly harsh but reading through all of this just makes me laugh. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
