But that permission won't hold if/when MySQL rotates/re-creates the file,
right? But I guess for this file, MySQL itself won't ever rotate it
unlike the binlogs.
On Tue, 7 Sep 2010, Anthony Wlodarski wrote:
Then 755 should be appropriate.
-----Original Message-----
From: "Matt Juszczak" <[email protected]>
Sent: Tuesday, September 7, 2010 2:29pm
To: "NYPHP Talk" <[email protected]>
Subject: Re: [nyphp-talk] MySQL slow query log/general mysql log
Our setups are puppetized. There is a standard directory for MySQL log
information. As we don't want to allow sudo for users just to see the
file, I'd rather make it globally readable. Adding users to a group would
be less trivial, as most of our user groups are managed by LDAP, while the
mysql group is an actual systems group in /etc/group, which I don't want
to manage manually.
So really, the group option is out - the only options I see are setting
global read on the file, or adding the users that need to access it to
sudo.
I'm not too worried about the file being accessed by other means - the
server is a dedicated MySQL box.
Thanks,
Matt
On Tue, 7 Sep 2010, Anthony Wlodarski wrote:
> I don't know what type of OS this is on Nix/Windows/Other but when MySQL
creates a default slow queries log file for
> Ubuntu it places this in /var/log/mysql which is not accessible to anyone
other than super user. By default this file
is
> 640 so that owners and groups may access it. For example on Ubuntu if you part of the
"adm" group you can read the
> file. I would steer away from global reading permissions on that log.
>
> Going into the background on this why do you want to enable all users to read
the file? If so I would recommend
creating
> a group and adding users to the group for viewing permissions. The logs
information could be used against you
negatively
> if an attacker stumbles upon your file (somehow made available through your
webserver) and knows how your database
reads
> and writes the information passed to it.
>
> Internally no daemons such as the MySQL Daemon will bark about permissions to
the file as they have access to the log
by
> default.
>
> -----Original Message-----
> From: "Matt Juszczak" <[email protected]>
> Sent: Tuesday, September 7, 2010 2:09pm
> To: [email protected]
> Subject: [nyphp-talk] MySQL slow query log/general mysql log
>
> Hi folks,
>
> Has anyone ever seen any negative effects of changing the permissions of
> the MySQL slow query log (not changing umask or anything like that) once
> MySQL has created the file? I'd like to make it 755 to allow for global
> read only access.
>
> -Matt
> _______________________________________________
> New York PHP Users Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/Show-Participation
>
>
>
> Anthony Wlodarski
> Lead Software Engineer
> Dating 2.0
> 646 285 0500 x217
> [email protected]
>
>_______________________________________________
New York PHP Users Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/Show-Participation
Anthony Wlodarski
Lead Software Engineer
Dating 2.0
646 285 0500 x217
[email protected]
_______________________________________________
New York PHP Users Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/Show-Participation
