Re: mysql: MySQL Security

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Mikael Brandstrom: "Re: wtmpx utility for solaris"
• Previous message: Michael Widenius: "Re: mysql: MySQL Security"
• Maybe in reply to: Michael Widenius: "mysql: MySQL Security"

Of course:

a) mysqld runs as root by default

b) if you've set the port <1024, so it gets filtered naturally by your
firewall, you have to run as root. The following patch fixes this
problem (on FreeBSD at least), if you add "MYSQL_USER=someuser; export
MYSQL_USER" to safe_mysqld.

Only lightly tested...

--- mysqld.cc.orig Tue Mar 31 19:27:53 1998
+++ mysqld.cc Tue Mar 31 19:35:59 1998
@@ -57,6 +57,8 @@
#define SET_RLIMIT_NOFILE
#endif

+#include <pwd.h>
+
#define MAX_RETRY 10 // Test accept this many times
#define CONNECT_TIMEOUT 3 // Don't wait long for connect

@@ -291,6 +293,33 @@
}
}

+static void set_user()
+{
+ struct passwd *ent;
+ char *user;
+
+// don't bother if we aren't superuser
+ if(geteuid())
+ return;
+
+ if(!(user = getenv("MYSQL_USER")))
+ return;
+
+ if(!(ent = getpwnam(user)))
+ {
+ perror("getpwnam");
+ application_end();
+ unireg_abort(1);
+ }
+
+ if(setuid(ent->pw_uid) == -1)
+ {
+ perror("setuid");
+ application_end();
+ unireg_abort(1);
+ }
+}
+

static void server_init(void)
{
@@ -336,6 +365,9 @@
application_end();
unireg_abort(1);
}
+
+ set_user();
+
VOID(listen(ip_sock,(int) back_log));
}

Cheers,

Ben.

--
Ben Laurie            |Phone: +44 (181) 735 0686|  Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author    http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

• Next message: Mikael Brandstrom: "Re: wtmpx utility for solaris"
• Previous message: Michael Widenius: "Re: mysql: MySQL Security"
• Maybe in reply to: Michael Widenius: "mysql: MySQL Security"