Mysql socket security (Was: Re: i found something ugly about freeBSD)
On Friday 30 January 2004 10:20, Jorn Argelo wrote: > It's up to the administrator of the server to make sure that users > can't reach the /tmp partition then. Ehm, you really don't want to advise this. A proper solution: /etc/my.cnf: [mysqld] socket = /var/run/mysql/socket Then: mkdir /var/run/mysql chown mysql:staff /var/run/mysql chmod 750 /var/run/mysql This assumes users in group staff are allowed to access mysql. DO NOT use the mysql group - that is best left with only the mysql user in it. -- Melvyn === FreeBSD sarevok.webteckies.org 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Wed Jan 28 18:01:18 CET 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SAREVOK_NOAPM_NODEBUG i386 === pgp0.pgp Description: signature
Re: i found something ugly about freeBSD
Well, that's not FreeBSD's fault, but MySQL requires the mysql.sock file to be writeable to the world, or else it wouldn't be changing the attribute by itself. It's up to the administrator of the server to make sure that users can't reach the /tmp partition then. Cheers, Jorn On Friday 30 January 2004 02:59, [EMAIL PROTECTED] wrote: > Am probably wrong i hope but mysqld creates a file call /tmp/mysql.sock > but this file got to be 777??? ...i loging with a other useran call a rm > /ytmp/mysql.sock and mysql stop working ...O_o ..but then i did this ... # > chmod -R 777 /tmp > # /usr/local/blabla/sh mysql-server.sh start > # chmod o-w /tmp/mysql.sock > ..and then again mysql stop working ...soo ...from my as a administrador > this is not posible ...because some body rm that file and ..thats ir > ...mysql stops ...my setting bad?plz help me > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: i found something ugly about freeBSD
- Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 30, 2004 3:01 AM Subject: i found something ugly about freeBSD > Am probably wrong i hope. Yes, you are. :) > ... but mysqld creates a file call /tmp/mysql.sock, > but this file got to be 777??? Yeah, well, that's the general idea; everybody can read/write to the mysqld server socket: from "nobody" (web server) to root. > ...i loging with a other user and call a rm /tmp/mysql.sock Set the sticky bit (+t) on /tmp/, and only the owner of the mysql socket will be able to delete it. - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: i found something ugly about freeBSD
In the last episode (Jan 29), [EMAIL PROTECTED] said: > Am probably wrong i hope but mysqld creates a file call > /tmp/mysql.sock but this file got to be 777??? ...i loging with a > other useran call a rm /ytmp/mysql.sock and mysql stop working ...O_o > ..but then i did this ... > > # chmod -R 777 /tmp Don't do this ^^^. The correct permissions for /tmp should be 1777, aka a=rwx,=t. The sticky bit prevents users from deleting each others files in /tmp. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: i found something ugly about freeBSD
[EMAIL PROTECTED] wrote: Am probably wrong i hope but mysqld creates a file call /tmp/mysql.sock but this file got to be 777??? ...i loging with a other useran call a rm /ytmp/mysql.sock and mysql stop working ...O_o ..but then i did this ... Your mysql configuration isn't very secure. (Or: " your setting bad", if that's easier.) Try setting a umask of 022 for the owner of your mysql process, or else adjust mysql's configuration. You'll probably get more help from a mysql website or mailing list. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
i found something ugly about freeBSD
Am probably wrong i hope but mysqld creates a file call /tmp/mysql.sock but this file got to be 777??? ...i loging with a other useran call a rm /ytmp/mysql.sock and mysql stop working ...O_o ..but then i did this ... # chmod -R 777 /tmp # /usr/local/blabla/sh mysql-server.sh start # chmod o-w /tmp/mysql.sock ..and then again mysql stop working ...soo ...from my as a administrador this is not posible ...because some body rm that file and ..thats ir ...mysql stops ...my setting bad?plz help me ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"