On Tue, 2009-11-24 at 18:48 -0800, Ed Landaveri wrote: > Sam, > I know yum does everything for me but I want to secure the mysql server following the guidelines given by mysql cert guide. Running the server as root, which is the way yum defines it is not recommended. Instead they recommend running the server as the mysql user.group. This can be done by modifying the /etc/my.cnf file. But they also recommend to secure the file system permissions of the where mysql was installed or from where it runs. The example given is the one when you install from a tar archive thus they focus on /usr/local/mysql. > > My question is not how but if the /var/lib/mysql directory is the mysqld installation directory? Are there any other mysql directories I would need to secure? That's why I was looking if somebody have done this before so she/he could advise me what are the directories to secure. Thank you very much. > > -----Original Message----- > > From: mrsam@xxxxxxxxxxxxxxx > > Sent: Mon, 23 Nov 2009 20:50:49 -0500 > > To: fedora-list@xxxxxxxxxx > > Subject: Re: securing mysql server on Fedora/CentOS > > > > Ed Landaveri writes: > > > >> Ladies, gentleman, > >> > >> I'm trying to secure a mysql server and according to the MySQL > >> certification guide the file system mysql install directories should be > >> owned by the user/group mysql.mysql. Also the server should be started > >> using NOT the root account but the mysql account which easily can be > >> done > >> by modifying /etc/my.cnf file. > >> Assuming that /usr/local is the installation if you did install from a > >> tar ball to this directory this must be done: > >> > >> chown -R mysql.mysql /usr/local > >> chmod u =rwx,go=rx /usr/local > > > > Any particular reason you want to brew something yourself, instead of a > > simple "yum install mysql-server", which sets all of this up, for you? ---- default permissions on /var/lib/mysql are considered adequate by Fedora & Red Hat developers... # ls -ld /var/lib/mysql drwxr-xr-x 5 mysql mysql 4096 2009-11-22 15:12 /var/lib/mysql But since you are installing by tarball is your data actually being stored there? The socket for local connections in that directory? PID? What does the actual startup script look like? Crystal ball cloudy...sorry. but then again, you don't agree with their implementation to start mysqld_safe as root and have mysql daemon itself running as user mysql so how can anyone know what you consider secure? I refuse to believe that any serious instructions have you changing ownership of /usr/local to mysql:mysql I don't understand the logic of changing the owner of /etc/my.cnf to mysql:mysql and then setting perms to 666...that defies all of my understanding of Linux security. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
