Re: securing mysql server on Fedora/CentOS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2009-11-24 at 18:48 -0800, Ed Landaveri wrote:
> Sam,
> I know yum does everything for me but I want to secure the mysql server following the guidelines given by mysql cert guide. Running the server as root, which is the way yum defines it is not recommended. Instead they recommend running the server as the mysql user.group. This can be done by modifying the /etc/my.cnf file. But they also recommend to secure the file system permissions of the where mysql was installed or from where it runs. The example given is the one when you install from a tar archive thus they focus on /usr/local/mysql.
> 
> My question is not how but if the /var/lib/mysql directory is the mysqld installation directory? Are there any other mysql directories I would need to secure? That's why I was looking if somebody have done this before so she/he could advise me what are the directories to secure. Thank you very much.

> > -----Original Message-----
> > From: mrsam@xxxxxxxxxxxxxxx
> > Sent: Mon, 23 Nov 2009 20:50:49 -0500
> > To: fedora-list@xxxxxxxxxx
> > Subject: Re: securing mysql server on Fedora/CentOS
> > 
> > Ed Landaveri writes:
> > 
> >> Ladies, gentleman,
> >> 
> >> I'm trying to secure a mysql server and according to the MySQL
> >> certification guide the file system mysql install directories should be
> >> owned by the user/group mysql.mysql. Also the server should be started
> >> using NOT the root account but the mysql account which easily can be
> >> done
> >> by modifying /etc/my.cnf file.
> >> Assuming that /usr/local is the installation if you did install from a
> >> tar ball to this directory this must be done:
> >> 
> >> chown -R mysql.mysql /usr/local
> >> chmod u =rwx,go=rx /usr/local
> > 
> > Any particular reason you want to brew something yourself, instead of a
> > simple "yum install mysql-server", which sets all of this up, for you?
----
default permissions on /var/lib/mysql are considered adequate by Fedora
& Red Hat developers...

# ls -ld /var/lib/mysql
drwxr-xr-x 5 mysql mysql 4096 2009-11-22 15:12 /var/lib/mysql

But since you are installing by tarball is your data actually being
stored there? The socket for local connections in that directory? PID?
What does the actual startup script look like? Crystal ball
cloudy...sorry.

but then again, you don't agree with their implementation to start
mysqld_safe as root and have mysql daemon itself running as user mysql
so how can anyone know what you consider secure?

I refuse to believe that any serious instructions have you changing
ownership of /usr/local to mysql:mysql

I don't understand the logic of changing the owner of /etc/my.cnf to
mysql:mysql and then setting perms to 666...that defies all of my
understanding of Linux security.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux