D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Databases again

 

On Tue, Jun 27, 2006 at 11:21:13AM +0100, Neil Winchurst wrote:
> Paul Weaver <iso@xxxxxxxxxxxx> wrote:
> > You do have a mysql user on your machine don't you? Genrally it's not a
> > good idea to run things like mysql as root, as a buffer overflow or
> > similar will give a hacker root access.
> > 
> Yes, indeed. It is quite a long time since I last used mysql, so I am
> taking some time to get back into the swing of it all. I must look out
> my old book on it.
> 
> Once I have the server running I log back to my normal user and work
> from there. I never run anything as root except for the odd time, such
> as chmod, when I need to be root. Then I run the command and exit back
> to neil immediately.

That's fine, but mysql is still running as root. A mysql command that
caused mysqld to execute a local program would have full access to your
machine (cat /etc/passwd, cat /etc/shadow for example).

Running the daemon as another user 

The fact that mysqld launches fine as root, but not as "mysql", if you
have a 'mysql' local user (grep mysql /etc/passwd) indicates a
permissions problem.

My mysqld process has a few temp files open, in /tmp, and a lot of stuff 
in /var/lib/mysql/ open. 

I think you've alreaady checked it, but /var/lib/mysql/ and its files
should be owned by "mysql"

# chown -R mysql /var/lib/mysql
# ls -ld /var/lib/mysql/
 drwxr-xr-x  7 mysql mysql 4096 2006-05-29 14:11 /var/lib/mysql/

(your group might be different)

This might all be fine, I can't remember from earlier in the thread. 
At one point, however, a log mentioned you had a problem writing to 
"/root/tmp". If that directory is like mine

drwxr-xr-x  2 root root  4096 2006-01-11 07:32 tmp

Then that would mean the mysqld daemon couldn't run as anyhting but
root. chmod 777ing this directory and launching mysqld as --user=mysql,
and checking the log, would indicate if this were the problem (although
that's not the final solution).

Of course it works now, but I alwasys think it's better to iron out
potential problems earlier on :)

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html