Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have one question reguarding mysql. I am the only user with a account, with global options. Is this secure? I hope I'm making myself clear. I want to know basically if having 1 user account nad it having global privileges is somehow a security hole.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well for starters, does the account use a password? If not, that's obviously a security problem. The password should be at least 8 characters, both alpha and numeric, and non-alpha/numeric if possible...
Perferably you should have one account for administration of user accounts, and then restrict other accounts to only access the areas of the database they need.
If you don't need any outside machines to connect to the database over IP, you should disable the TCP/IP connectivity and just use UNIX sockets. Also make sure that you've updated to a recent version that has the weak password hashing problem fixed.
For my mysql setup I have deleted the root account and the test database. I am the only user that has access to everything and my password and login name are 15 characters each, upper and lower case. I have permissions set correctly and the last thing I am wondering about is if I should create the user account your talking about with limited privs.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Sounds like you made a great start. You didn't mention if you require TCP/IP connectivity to the database itself (from another machine). If you don't need TCP/IP, then you should really disable the database from listening for it and use UNIX sockets only.
Yeah, I forgot to mention that. I have everything on one machine so I've added skip-networking in my 'my.cnf'. I still have my 1 account that I use that has full privs in mysql, should I create a new account with less privs?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well you have a great start. It's been a while since I setup MySQL, but if I recall you should be able to change the privileges on your "master" account so that it can only create new accounts. Then create an account that only has privileges to the areas of the DB that it needs to work on.
That would be Best Practices, but of course the main account could grant itself total privileges if it wanted to (it's just a barrier for script kiddies, etc). Also if you're not using a full-priv account to do administration, it's less likely that you'll accidentally blow something away (because it has access to far less stuff) and if the account is hijacked it won't be able to compromise the entire DB (although it will be enough to damage all your existing data, it just won't be able to create/drop other DBs, etc).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.