Craig, the 666 is a typo is indeed 644. Anyway the question is if there is any other installation directory for mysql than /var/lib/mysql I'm following the MySql certification guide to secure it. This is their recommendation. I'm just looking for the answer to the question above. +-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |E|d|u|a|r|d|o| |L|a|n|d|a|v|e|r|i| +-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+ |G|N|U|-|L|i|n|u|x| |U|s|e|r| |4|3|3|5|1|2| +-+-+-+-+-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+ > -----Original Message----- > From: craigwhite@xxxxxxxxxxx > Sent: Tue, 24 Nov 2009 20:08:24 -0700 > To: fedora-list@xxxxxxxxxx > Subject: Re: securing mysql server on Fedora/CentOS > > On Tue, 2009-11-24 at 18:48 -0800, Ed Landaveri wrote: >> Sam, >> I know yum does everything for me but I want to secure the mysql server >> following the guidelines given by mysql cert guide. Running the server >> as root, which is the way yum defines it is not recommended. Instead >> they recommend running the server as the mysql user.group. This can be >> done by modifying the /etc/my.cnf file. But they also recommend to >> secure the file system permissions of the where mysql was installed or >> from where it runs. The example given is the one when you install from a >> tar archive thus they focus on /usr/local/mysql. >> >> My question is not how but if the /var/lib/mysql directory is the mysqld >> installation directory? Are there any other mysql directories I would >> need to secure? That's why I was looking if somebody have done this >> before so she/he could advise me what are the directories to secure. >> Thank you very much. > >>> -----Original Message----- >>> From: mrsam@xxxxxxxxxxxxxxx >>> Sent: Mon, 23 Nov 2009 20:50:49 -0500 >>> To: fedora-list@xxxxxxxxxx >>> Subject: Re: securing mysql server on Fedora/CentOS >>> >>> Ed Landaveri writes: >>> >>>> Ladies, gentleman, >>>> >>>> I'm trying to secure a mysql server and according to the MySQL >>>> certification guide the file system mysql install directories should >>>> be >>>> owned by the user/group mysql.mysql. Also the server should be started >>>> using NOT the root account but the mysql account which easily can be >>>> done >>>> by modifying /etc/my.cnf file. >>>> Assuming that /usr/local is the installation if you did install from a >>>> tar ball to this directory this must be done: >>>> >>>> chown -R mysql.mysql /usr/local >>>> chmod u =rwx,go=rx /usr/local >>> >>> Any particular reason you want to brew something yourself, instead of a >>> simple "yum install mysql-server", which sets all of this up, for you? > ---- > default permissions on /var/lib/mysql are considered adequate by Fedora > & Red Hat developers... > > # ls -ld /var/lib/mysql > drwxr-xr-x 5 mysql mysql 4096 2009-11-22 15:12 /var/lib/mysql > > But since you are installing by tarball is your data actually being > stored there? The socket for local connections in that directory? PID? > What does the actual startup script look like? Crystal ball > cloudy...sorry. > > but then again, you don't agree with their implementation to start > mysqld_safe as root and have mysql daemon itself running as user mysql > so how can anyone know what you consider secure? > > I refuse to believe that any serious instructions have you changing > ownership of /usr/local to mysql:mysql > > I don't understand the logic of changing the owner of /etc/my.cnf to > mysql:mysql and then setting perms to 666...that defies all of my > understanding of Linux security. > > Craig > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: > http://fedoraproject.org/wiki/Communicate/MailingListGuidelines ____________________________________________________________ GET FREE 5GB EMAIL - Check out spam free email with many cool features! Visit http://www.inbox.com/email to find out more! -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
