(mysql.info) security-against-attack
Info Catalog
(mysql.info) security-guidelines
(mysql.info) security
(mysql.info) privileges-options
5.7.2 Making MySQL Secure Against Attackers
-------------------------------------------
When you connect to a MySQL server, you should use a password. The
password is not transmitted in clear text over the connection. Password
handling during the client connection sequence was upgraded in MySQL
4.1.1 to be very secure. If you are still using pre-4.1.1-style
passwords, the encryption algorithm is not as strong as the newer
algorithm. With some effort, a clever attacker who can sniff the
traffic between the client and the server can crack the password. (See
password-hashing, for a discussion of the different password
handling methods.)
All other information is transferred as text, and can be read by anyone
who is able to watch the connection. If the connection between the
client and the server goes through an untrusted network, and you are
concerned about this, you can use the compressed protocol to make
traffic much more difficult to decipher. You can also use MySQL's
internal SSL support to make the connection even more secure. See
secure-connections. Alternatively, use SSH to get an encrypted TCP/IP
connection between a MySQL server and a MySQL client. You can find an
Open Source SSH client at `http://www.openssh.org/', and a commercial
SSH client at `http://www.ssh.com/'.
To make a MySQL system secure, you should strongly consider the
following suggestions:
* Require all MySQL accounts to have a password. A client program
does not necessarily know the identity of the person running it.
It is common for client/server applications that the user can
specify any username to the client program. For example, anyone
can use the `mysql' program to connect as any other person simply
by invoking it as `mysql -u OTHER_USER DB_NAME' if OTHER_USER has
no password. If all account have a password, connecting using
another user's account becomes much more difficult.
For a discussion of methods for setting passwords, see
passwords.
* Never run the MySQL server as the Unix `root' user. This is
extremely dangerous, because any user with the `FILE' privilege is
able to cause the server to create files as `root' (for example,
`~root/.bashrc'). To prevent this, `mysqld' refuses to run as
`root' unless that is specified explicitly using the -user=root
option.
`mysqld' can (and should) be run as an ordinary, unprivileged user
instead. You can create a separate Unix account named `mysql' to
make everything even more secure. Use this account only for
administering MySQL. To start `mysqld' as a different Unix user,
add a `user' option that specifies the username in the `[mysqld]'
group of the `my.cnf' option file where you specify server
options. For example:
[mysqld]
user=mysql
This causes the server to start as the designated user whether you
start it manually or by using `mysqld_safe' or `mysql.server'. For
more details, see changing-mysql-user.
Running `mysqld' as a Unix user other than `root' does not mean
that you need to change the `root' username in the `user' table.
_Usernames for MySQL accounts have nothing to do with usernames
for Unix accounts_.
* Do not allow the use of symlinks to tables. (This capability can
be disabled with the -skip-symbolic-links option.) This is
especially important if you run `mysqld' as `root', because anyone
that has write access to the server's data directory then could
delete any file in the system! See
symbolic-links-to-tables.
* Make sure that the only Unix user with read or write privileges in
the database directories is the user that `mysqld' runs as.
* Do not grant the `PROCESS' or `SUPER' privilege to
non-administrative users. The output of `mysqladmin processlist'
and `SHOW PROCESSLIST' shows the text of any statements currently
being executed, so any user who is allowed to see the server
process list might be able to see statements issued by other users
such as `UPDATE user SET password=PASSWORD('not_secure')'.
`mysqld' reserves an extra connection for users who have the
`SUPER' privilege, so that a MySQL `root' user can log in and
check server activity even if all normal connections are in use.
The `SUPER' privilege can be used to terminate client connections,
change server operation by changing the value of system variables,
and control replication servers.
* Do not grant the `FILE' privilege to non-administrative users. Any
user that has this privilege can write a file anywhere in the
filesystem with the privileges of the `mysqld' daemon. To make
this a bit safer, files generated with `SELECT ... INTO OUTFILE'
do not overwrite existing files and are writable by everyone.
The `FILE' privilege may also be used to read any file that is
world-readable or accessible to the Unix user that the server runs
as. With this privilege, you can read any file into a database
table. This could be abused, for example, by using `LOAD DATA' to
load `/etc/passwd' into a table, which then can be displayed with
`SELECT'.
* If you do not trust your DNS, you should use IP numbers rather
than hostnames in the grant tables. In any case, you should be
very careful about creating grant table entries using hostname
values that contain wildcards.
* If you want to restrict the number of connections allowed to a
single account, you can do so by setting the
`max_user_connections' variable in `mysqld'. The `GRANT' statement
also supports resource control options for limiting the extent of
server use allowed to an account. See grant.
Info Catalog
(mysql.info) security-guidelines
(mysql.info) security
(mysql.info) privileges-options
automatically generated byinfo2html