[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] I'm an idiot - please help me
- Subject: Re: [cobalt-users] I'm an idiot - please help me
- From: Phoenix Hawk <phawk@xxxxxxxxxxxxxxx>
- Date: Wed Mar 28 02:30:00 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Sun, 18 Mar 2001, Chris Moreton wrote:
> The weirdest thing I haven't yet figured is that in order to get the MySql
> daemon to start on reboot I needed to replace the lengthy mysql script in
> /etc/rc.d/init.d to read simply "safe_mysqld &". This works fine and from
> the looks of things the mysql script is a copy of the mysql.server script
> that comes with the mysql download.
hmm, what's wrong with the original script?
from what i know, running mysqld via "safe_mysqld &"
when you're "root" is a bad practice. otoh, using the script
ensures that mysqld is running as "mysql" - just a normal
user on the system. by running mysqld as root, you open
your system to *bad things* if mysql gets exploited
or if a curious user wants to "explore" your system.
another mysql security related issue:
the "mysql" database, ie. the database named mysql, which
holds all the privilege and access permissions for your
mysqld, has this table called "user". the problem with
granting the users listed there with FULL privileges
means that they have full access to ANY database running
under your mysqld.
simply put, it means that if i'm a legit mysql user
on your system, and if i know the name of your other
databases, i can easily drop any of them. which isn't hard,
all i need to do is to login to mysql "mysql -u user -p"
and do a "show databases;", "drop XXXX;" and you're screwed.
of course, i need to login to the mysql server first, in order
to commit any possible crime.
so what do i do?
only give the mysql adminstrator full privileges. give
none to the rest of the normal users listed in the
"user" table. they don't need it to access their databases;
as long as their user name and password is ok, mysql
lets them connect successfully. instead, give the users
FULL permissions to their own databases under the table
called "db" in the "mysql" database.
(whew, long mail at 2am+ at night, hope i don't do/say anything
wrong again... like the du -h --max-depth thing :PPP).
for the mysql administrator (who is most likely the
cobalt admin, and mail admin, and web server admin, and...
well, that's probably us) :)
suggestion, read this article:
http://www.devshed.com/Server_Side/MySQL/Grant_Tables/
monitor this "place" (or u can subscribe to their newsletters):
http://www.devshed.com/Server_Side/MySQL/
get this free web-based administration tool:
http://phpwizard.net/projects/phpMyAdmin/
(saves u hours and a lot of typing but needs
a little bit of setting up. note: treat all
references/links/buttons to "delete" and "drop"
like the way you treat "rm -fr")
learn how to use .htaccess and .htpasswd to protect the
web-based admin page above.
if/when you're proficient enough, you can set up the above tool
so that your clients can admin their own databases (only!).
the magic's in the config.inc.php file.
erm... guess that's about it on mysql. will try to come out
with a more coherent FAQ-like thing when i'm freer, hopefully
this will be of some help to the mysql admins out there... :)
regards.
--
The past is only an arrangement of photons receding at lightspeed.