DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

(mysql.info) security-against-attack

Info Catalog (mysql.info) security-guidelines (mysql.info) security (mysql.info) privileges-options
 
 5.7.2 Making MySQL Secure Against Attackers
 -------------------------------------------
 
 When you connect to a MySQL server, you should use a password.  The
 password is not transmitted in clear text over the connection. Password
 handling during the client connection sequence was upgraded in MySQL
 4.1.1 to be very secure. If you are still using pre-4.1.1-style
 passwords, the encryption algorithm is not as strong as the newer
 algorithm. With some effort, a clever attacker who can sniff the
 traffic between the client and the server can crack the password. (See
  password-hashing, for a discussion of the different password
 handling methods.)
 
 All other information is transferred as text, and can be read by anyone
 who is able to watch the connection. If the connection between the
 client and the server goes through an untrusted network, and you are
 concerned about this, you can use the compressed protocol to make
 traffic much more difficult to decipher. You can also use MySQL's
 internal SSL support to make the connection even more secure. See 
 secure-connections. Alternatively, use SSH to get an encrypted TCP/IP
 connection between a MySQL server and a MySQL client. You can find an
 Open Source SSH client at `http://www.openssh.org/', and a commercial
 SSH client at `http://www.ssh.com/'.
 
 To make a MySQL system secure, you should strongly consider the
 following suggestions:
 
    * Require all MySQL accounts to have a password. A client program
      does not necessarily know the identity of the person running it.
      It is common for client/server applications that the user can
      specify any username to the client program. For example, anyone
      can use the `mysql' program to connect as any other person simply
      by invoking it as `mysql -u OTHER_USER DB_NAME' if OTHER_USER has
      no password. If all account have a password, connecting using
      another user's account becomes much more difficult.
 
      For a discussion of methods for setting passwords, see 
      passwords.
 
    * Never run the MySQL server as the Unix `root' user. This is
      extremely dangerous, because any user with the `FILE' privilege is
      able to cause the server to create files as `root' (for example,
      `~root/.bashrc'). To prevent this, `mysqld' refuses to run as
      `root' unless that is specified explicitly using the -user=root
      option.
 
      `mysqld' can (and should) be run as an ordinary, unprivileged user
      instead. You can create a separate Unix account named `mysql' to
      make everything even more secure. Use this account only for
      administering MySQL. To start `mysqld' as a different Unix user,
      add a `user' option that specifies the username in the `[mysqld]'
      group of the `my.cnf' option file where you specify server
      options. For example:
 
           [mysqld]
           user=mysql
 
      This causes the server to start as the designated user whether you
      start it manually or by using `mysqld_safe' or `mysql.server'. For
      more details, see  changing-mysql-user.
 
      Running `mysqld' as a Unix user other than `root' does not mean
      that you need to change the `root' username in the `user' table.
      _Usernames for MySQL accounts have nothing to do with usernames
      for Unix accounts_.
 
    * Do not allow the use of symlinks to tables. (This capability can
      be disabled with the -skip-symbolic-links option.) This is
      especially important if you run `mysqld' as `root', because anyone
      that has write access to the server's data directory then could
      delete any file in the system! See 
      symbolic-links-to-tables.
 
    * Make sure that the only Unix user with read or write privileges in
      the database directories is the user that `mysqld' runs as.
 
    * Do not grant the `PROCESS' or `SUPER' privilege to
      non-administrative users. The output of `mysqladmin processlist'
      and `SHOW PROCESSLIST' shows the text of any statements currently
      being executed, so any user who is allowed to see the server
      process list might be able to see statements issued by other users
      such as `UPDATE user SET password=PASSWORD('not_secure')'.
 
      `mysqld' reserves an extra connection for users who have the
      `SUPER' privilege, so that a MySQL `root' user can log in and
      check server activity even if all normal connections are in use.
 
      The `SUPER' privilege can be used to terminate client connections,
      change server operation by changing the value of system variables,
      and control replication servers.
 
    * Do not grant the `FILE' privilege to non-administrative users. Any
      user that has this privilege can write a file anywhere in the
      filesystem with the privileges of the `mysqld' daemon. To make
      this a bit safer, files generated with `SELECT ...  INTO OUTFILE'
      do not overwrite existing files and are writable by everyone.
 
      The `FILE' privilege may also be used to read any file that is
      world-readable or accessible to the Unix user that the server runs
      as. With this privilege, you can read any file into a database
      table. This could be abused, for example, by using `LOAD DATA' to
      load `/etc/passwd' into a table, which then can be displayed with
      `SELECT'.
 
    * If you do not trust your DNS, you should use IP numbers rather
      than hostnames in the grant tables. In any case, you should be
      very careful about creating grant table entries using hostname
      values that contain wildcards.
 
    * If you want to restrict the number of connections allowed to a
      single account, you can do so by setting the
      `max_user_connections' variable in `mysqld'. The `GRANT' statement
      also supports resource control options for limiting the extent of
      server use allowed to an account. See  grant.
 
Info Catalog (mysql.info) security-guidelines (mysql.info) security (mysql.info) privileges-options
automatically generated byinfo2html