[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] mysql updates?

To: <suse-security@xxxxxxxx>
Subject: Re: [suse-security] mysql updates?
From: "Philippe Vogel" <filiaap@xxxxxxxxxx>
Date: Wed, 7 Jul 2004 17:13:00 +0200
Delivered-to: mailing list suse-security@xxxxxxxx
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <40EBA142.1080008@xxxxxxxxxxxxxx> <200407070834.14521.Support@xxxxxxxxx> <40EBF3FA.70501@xxxxxxxxxxxxxx>

> Stefan Onken wrote:
> > Am Mittwoch, 7. Juli 2004 08:07 schrieb Frank Steiner:
> >
> >
> >>are  mysql updates planned w.r.t.
> >>http://www.securityfocus.com/archive/1/367991 ?
> >>
> >>Just to avoid I recompile new versions myself when SuSE is
> >>already working on it :-)
> >
> >
> > SuSE never shipped the 4.1.x or 5.x Version, both are unstable (Beta
> > and Alpha stage). The stable versions 3.x and 4.0.x are NOT
> > affected.
>
> Oh, my fault, indeed that's 4.0.13 and 4.0.18 here....
>
> Sorry :-)

Hm, I normally run MySQL localhost, so only local attackers could have their
fun.

Apache can handle this.
A problem is, if you segment servers: some to use apache and some to use
mysql, then you can use simple firewall rules to prevent access.
Another problem may be unsafe php programming.

I changed this in /etc/init.d/mysql to run on localhost only:

       $SAFE_MYSQLD \
           --user=$mysql_daemon_user \
           --pid-file=$pid_file \
           --socket=$socket \
# changed start
           --bind-address=127.0.0.1 \
# changed end
           --datadir=$datadir &>/dev/null &

Normally I don't give users shellaccounts.

If desirect you can do some bofh-work in /etc/security/limits.conf :

@users          hard    core            0
@users          hard    data            8196
@users          hard    fsize           8196
@users          hard    memlock         2048
@users          hard    nofile          64
@users          hard    rss             8196
@users          hard    stack           2048
@users          hard    cpu             10
@users          hard    nproc           8
@users          hard    as              16384
@users          hard    maxlogins       2
@users          hard    priority        17

This only gives limited rights to users e.g. to change their filerights with
scripts but don't run any unneccessary software like X (even makes problems
to su).
This settings only affect shell-logins.
If you wanna allow admin to su add this line for user "admin":

admin           -

This is no real good protection, but gives a littlebit more security.

Philippe

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

References:
- [suse-security] mysql updates?
  - From: Frank Steiner
- Re: [suse-security] mysql updates?
  - From: Stefan Onken
- Re: [suse-security] mysql updates?
  - From: Frank Steiner

Prev by Date: Re: [suse-security] SuSEFirewall2 with internal routing - problems!
Next by Date: [suse-security] How to configure SuSE Firewall and NFS/NIS serving
Previous by thread: Re: [suse-security] mysql updates?
Next by thread: [suse-security] SuSEFirewall2 with internal routing - problems!
Index(es):
- Date
- Thread