Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is my Mysql secure?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6347
Location: /usr/lib64/lv2

PostPosted: Sun May 01, 2011 3:08 pm    Post subject: Is my Mysql secure? Reply with quote

I posed my question to someone whose opinion I value, and got an excellent response.

I'm now curious to hear from other people, though, especially from both db admins and security people.

I've set up my server - a VPS on which I host two TLD sites and several sub-domains - so that there's only one Mysql user - root (Mysql root, not server root, just to be clear). Root does not have remote access. All web apps connect to localhost.

My thinking is that since root has no remote access, it should be safe enough for me to just use it for web apps that only connect to localhost. Anyone who has managed to break into my server as server root would then be able to do whatever they want no matter how I rig my Mysql users anyway.

All changes I make to the database are done either via ssh at the server root prompt or through a db web app behind both SSL and mod_auth_imap2 (to which I supply the Mysql root password).

Am I using a reasonably secure approach to this? Or should I absolutely do something better in some way?
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15969

PostPosted: Sun May 01, 2011 5:54 pm    Post subject: Reply with quote

Do all your web applications on that machine require full control of the database? If not, I would run them under alternate MySQL credentials with less access. Consider the situation that your web application has a SQL injection vulnerability, allowing an attacker to insert arbitrary SQL text, but not to run arbitrary code or read/write any files on the machine. In such a scenario, the compromised web application would allow the attacker to make any database changes that the web application's user can make.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6347
Location: /usr/lib64/lv2

PostPosted: Sun May 01, 2011 6:11 pm    Post subject: Reply with quote

Now that I think about it, not even something like phpmyadmin requires root, right? It doesn't need things like grant privs, as far as I know. So maybe I should set up Mysql users for web apps.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum