Stellarcore.net

Stellarcore.net

Mysql User and the Unix Install: By now everyone should know that any service you leave running as root faces the possibility of being exploited. If not from a known exploit, then from a future exploit. Root is all powerful and should be used as little as possible. Creating a mysql user (as most of the linux RPM's do for you) is a good start to securing your mysql installation. It also lets you select where to keep the database and how to protect the associated files. Be sure that the group permissions do not open up the database files to reading by non trusted users, and be sure the mysql home directory has the kind of space you need as your databases grows. Installing mysql from source (as on Solaris) allows you to set many of these options by hand, so take the time and read the configuration files. Remember to set the mysql users shell to /bin/false or /sbin/nologin since it's not a login account. Anytime you do this and need to become that user you can %su -s /bin/tcsh mysql as root and do whatever is needed.

Mysql Database: The default mysql setup leaves some pretty big security holes which you need to close off as your first order of business. The test database that is provided is open to all users; this should be removed. Also there is a default nobody user with limited permissions, but this could be exploited since it allows any user to connect with out a password. These commands from inside a mysql client should tighten up the database.

drop database test;
use mysql;
DELETE FROM db WHERE Db like 'test%';
DELETE FROM user WHERE Host = '%';
DELETE FROM user WHERE User = '';
update user
set Password = password('NEWPASSWORD')
where user = 'root';
FLUSH PRIVILEGES;

Basically you are deleting the test database and removing the outside accounts and removing the nobody account, then you set the root password. Now no one should be able to connect to mysql without a password. Create new databases and users as needed. Sample user grant below.

grant SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER
on some_db.*
to user@localhost
identified by 'password';
grant SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER
on some_db.*
to user@localhost
identified by password';
show grants;
FLUSH PRIVILEGES;
quit;