BugsSite/docs/html/security-mysql.html - WebKit - Git at Google

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <HTML
 ><HEAD
 ><TITLE
 >MySQL</TITLE
 ><META
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
 REL="HOME"
 TITLE="The Bugzilla Guide - 2.20.1
     Release"
 HREF="index.html"><LINK
 REL="UP"
 TITLE="Bugzilla Security"
 HREF="security.html"><LINK
 REL="PREVIOUS"
 TITLE="Operating System"
 HREF="security-os.html"><LINK
 REL="NEXT"
 TITLE="Webserver"
 HREF="security-webserver.html"></HEAD
 ><BODY
 CLASS="section"
 BGCOLOR="#FFFFFF"
 TEXT="#000000"
 LINK="#0000FF"
 VLINK="#840084"
 ALINK="#0000FF"
 ><DIV
 CLASS="NAVHEADER"
 ><TABLE
 SUMMARY="Header navigation table"
 WIDTH="100%"
 BORDER="0"
 CELLPADDING="0"
 CELLSPACING="0"
 ><TR
 ><TH
 COLSPAN="3"
 ALIGN="center"
 >The Bugzilla Guide - 2.20.1
     Release</TH
 ></TR
 ><TR
 ><TD
 WIDTH="10%"
 ALIGN="left"
 VALIGN="bottom"
 ><A
 HREF="security-os.html"
 ACCESSKEY="P"
 >Prev</A
 ></TD
 ><TD
 WIDTH="80%"
 ALIGN="center"
 VALIGN="bottom"
 >Chapter 4. Bugzilla Security</TD
 ><TD
 WIDTH="10%"
 ALIGN="right"
 VALIGN="bottom"
 ><A
 HREF="security-webserver.html"
 ACCESSKEY="N"
 >Next</A
 ></TD
 ></TR
 ></TABLE
 ><HR
 ALIGN="LEFT"
 WIDTH="100%"></DIV
 ><DIV
 CLASS="section"
 ><H1
 CLASS="section"
 ><A
 NAME="security-mysql"
 >4.2. MySQL</A
 ></H1
 ><DIV
 CLASS="section"
 ><H2
 CLASS="section"
 ><A
 NAME="security-mysql-account"
 >4.2.1. The MySQL System Account</A
 ></H2
 ><P
 >As mentioned in <A
 HREF="security-os.html#security-os-accounts"
 >Section 4.1.2</A
 >, the MySQL
       daemon should run as a non-privleged, unique user. Be sure to consult
       the MySQL documentation or the documentation that came with your system
       for instructions.
       </P
 ></DIV
 ><DIV
 CLASS="section"
 ><H2
 CLASS="section"
 ><A
 NAME="security-mysql-root"
 >4.2.2. The MySQL <SPAN
 CLASS="QUOTE"
 >"root"</SPAN
 > and <SPAN
 CLASS="QUOTE"
 >"anonymous"</SPAN
 > Users</A
 ></H2
 ><P
 >By default, MySQL comes with a <SPAN
 CLASS="QUOTE"
 >"root"</SPAN
 > user with a
       blank password and an <SPAN
 CLASS="QUOTE"
 >"anonymous"</SPAN
 > user, also with a blank
       password. In order to protect your data, the <SPAN
 CLASS="QUOTE"
 >"root"</SPAN
 > user
       should be given a password and the anonymous user should be disabled.
       </P
 ><DIV
 CLASS="example"
 ><A
 NAME="security-mysql-account-root"
 ></A
 ><P
 ><B
 >Example 4-1. Assigning the MySQL <SPAN
 CLASS="QUOTE"
 >"root"</SPAN
 > User a Password</B
 ></P
 ><TABLE
 BORDER="0"
 BGCOLOR="#E0E0E0"
 WIDTH="100%"
 ><TR
 ><TD
 ><FONT
 COLOR="#000000"
 ><PRE
 CLASS="screen"
 >&#13;<SAMP
 CLASS="prompt"
 >bash$</SAMP
 > mysql mysql
 <SAMP
 CLASS="prompt"
 >mysql&#62;</SAMP
 > UPDATE user SET password = password('<VAR
 CLASS="replaceable"
 >new_password</VAR
 >') WHERE user = 'root';
 <SAMP
 CLASS="prompt"
 >mysql&#62;</SAMP
 > FLUSH PRIVILEGES;
         </PRE
 ></FONT
 ></TD
 ></TR
 ></TABLE
 ></DIV
 ><DIV
 CLASS="example"
 ><A
 NAME="security-mysql-account-anonymous"
 ></A
 ><P
 ><B
 >Example 4-2. Disabling the MySQL <SPAN
 CLASS="QUOTE"
 >"anonymous"</SPAN
 > User</B
 ></P
 ><TABLE
 BORDER="0"
 BGCOLOR="#E0E0E0"
 WIDTH="100%"
 ><TR
 ><TD
 ><FONT
 COLOR="#000000"
 ><PRE
 CLASS="screen"
 >&#13;<SAMP
 CLASS="prompt"
 >bash$</SAMP
 > mysql -u root -p mysql           <A
 NAME="security-mysql-account-anonymous-mysql"
 ><IMG
 SRC="../images/callouts/1.gif"
 HSPACE="0"
 VSPACE="0"
 BORDER="0"
 ALT="(1)"></A
 >
 <SAMP
 CLASS="prompt"
 >Enter Password:</SAMP
 > <VAR
 CLASS="replaceable"
 >new_password</VAR
 >
 <SAMP
 CLASS="prompt"
 >mysql&#62;</SAMP
 > DELETE FROM user WHERE user = '';
 <SAMP
 CLASS="prompt"
 >mysql&#62;</SAMP
 > FLUSH PRIVILEGES;
         </PRE
 ></FONT
 ></TD
 ></TR
 ></TABLE
 ><DIV
 CLASS="calloutlist"
 ><DL
 COMPACT="COMPACT"
 ><DT
 ><A
 HREF="security-mysql.html#security-mysql-account-anonymous-mysql"
 ><IMG
 SRC="../images/callouts/1.gif"
 HSPACE="0"
 VSPACE="0"
 BORDER="0"
 ALT="(1)"></A
 ></DT
 ><DD
 >This command assumes that you have already completed
             <A
 HREF="security-mysql.html#security-mysql-account-root"
 >Example 4-1</A
 >.
             </DD
 ></DL
 ></DIV
 ></DIV
 ></DIV
 ><DIV
 CLASS="section"
 ><H2
 CLASS="section"
 ><A
 NAME="security-mysql-network"
 >4.2.3. Network Access</A
 ></H2
 ><P
 >If MySQL and your webserver both run on the same machine and you
       have no other reason to access MySQL remotely, then you should disable
       the network access. This, along with the suggestion in
       <A
 HREF="security-os.html#security-os-ports"
 >Section 4.1.1</A
 >, will help protect your system from
       any remote vulnerabilites in MySQL.
       </P
 ><DIV
 CLASS="example"
 ><A
 NAME="security-mysql-network-ex"
 ></A
 ><P
 ><B
 >Example 4-3. Disabling Networking in MySQL</B
 ></P
 ><P
 >Simply enter the following in <TT
 CLASS="filename"
 >/etc/my.conf</TT
 >:
         <TABLE
 BORDER="0"
 BGCOLOR="#E0E0E0"
 WIDTH="100%"
 ><TR
 ><TD
 ><FONT
 COLOR="#000000"
 ><PRE
 CLASS="screen"
 >&#13;[myslqd]
 # Prevent network access to MySQL.
 skip-networking
         </PRE
 ></FONT
 ></TD
 ></TR
 ></TABLE
 >
         </P
 ></DIV
 ></DIV
 ></DIV
 ><DIV
 CLASS="NAVFOOTER"
 ><HR
 ALIGN="LEFT"
 WIDTH="100%"><TABLE
 SUMMARY="Footer navigation table"
 WIDTH="100%"
 BORDER="0"
 CELLPADDING="0"
 CELLSPACING="0"
 ><TR
 ><TD
 WIDTH="33%"
 ALIGN="left"
 VALIGN="top"
 ><A
 HREF="security-os.html"
 ACCESSKEY="P"
 >Prev</A
 ></TD
 ><TD
 WIDTH="34%"
 ALIGN="center"
 VALIGN="top"
 ><A
 HREF="index.html"
 ACCESSKEY="H"
 >Home</A
 ></TD
 ><TD
 WIDTH="33%"
 ALIGN="right"
 VALIGN="top"
 ><A
 HREF="security-webserver.html"
 ACCESSKEY="N"
 >Next</A
 ></TD
 ></TR
 ><TR
 ><TD
 WIDTH="33%"
 ALIGN="left"
 VALIGN="top"
 >Operating System</TD
 ><TD
 WIDTH="34%"
 ALIGN="center"
 VALIGN="top"
 ><A
 HREF="security.html"
 ACCESSKEY="U"
 >Up</A
 ></TD
 ><TD
 WIDTH="33%"
 ALIGN="right"
 VALIGN="top"
 >Webserver</TD
 ></TR
 ></TABLE
 ></DIV
 ></BODY
 ></HTML
 >
	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
	<HTML
	><HEAD
	><TITLE
	>MySQL</TITLE
	><META
	NAME="GENERATOR"
	CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
	REL="HOME"
	TITLE="The Bugzilla Guide - 2.20.1
	Release"
	HREF="index.html"><LINK
	REL="UP"
	TITLE="Bugzilla Security"
	HREF="security.html"><LINK
	REL="PREVIOUS"
	TITLE="Operating System"
	HREF="security-os.html"><LINK
	REL="NEXT"
	TITLE="Webserver"
	HREF="security-webserver.html"></HEAD
	><BODY
	CLASS="section"
	BGCOLOR="#FFFFFF"
	TEXT="#000000"
	LINK="#0000FF"
	VLINK="#840084"
	ALINK="#0000FF"
	><DIV
	CLASS="NAVHEADER"
	><TABLE
	SUMMARY="Header navigation table"
	WIDTH="100%"
	BORDER="0"
	CELLPADDING="0"
	CELLSPACING="0"
	><TR
	><TH
	COLSPAN="3"
	ALIGN="center"
	>The Bugzilla Guide - 2.20.1
	Release</TH
	></TR
	><TR
	><TD
	WIDTH="10%"
	ALIGN="left"
	VALIGN="bottom"
	><A
	HREF="security-os.html"
	ACCESSKEY="P"
	>Prev</A
	></TD
	><TD
	WIDTH="80%"
	ALIGN="center"
	VALIGN="bottom"
	>Chapter 4. Bugzilla Security</TD
	><TD
	WIDTH="10%"
	ALIGN="right"
	VALIGN="bottom"
	><A
	HREF="security-webserver.html"
	ACCESSKEY="N"
	>Next</A
	></TD
	></TR
	></TABLE
	><HR
	ALIGN="LEFT"
	WIDTH="100%"></DIV
	><DIV
	CLASS="section"
	><H1
	CLASS="section"
	><A
	NAME="security-mysql"
	>4.2. MySQL</A
	></H1
	><DIV
	CLASS="section"
	><H2
	CLASS="section"
	><A
	NAME="security-mysql-account"
	>4.2.1. The MySQL System Account</A
	></H2
	><P
	>As mentioned in <A
	HREF="security-os.html#security-os-accounts"
	>Section 4.1.2</A
	>, the MySQL
	daemon should run as a non-privleged, unique user. Be sure to consult
	the MySQL documentation or the documentation that came with your system
	for instructions.
	</P
	></DIV
	><DIV
	CLASS="section"
	><H2
	CLASS="section"
	><A
	NAME="security-mysql-root"
	>4.2.2. The MySQL <SPAN
	CLASS="QUOTE"
	>"root"</SPAN
	> and <SPAN
	CLASS="QUOTE"
	>"anonymous"</SPAN
	> Users</A
	></H2
	><P
	>By default, MySQL comes with a <SPAN
	CLASS="QUOTE"
	>"root"</SPAN
	> user with a
	blank password and an <SPAN
	CLASS="QUOTE"
	>"anonymous"</SPAN
	> user, also with a blank
	password. In order to protect your data, the <SPAN
	CLASS="QUOTE"
	>"root"</SPAN
	> user
	should be given a password and the anonymous user should be disabled.
	</P
	><DIV
	CLASS="example"
	><A
	NAME="security-mysql-account-root"
	></A
	><P
	><B
	>Example 4-1. Assigning the MySQL <SPAN
	CLASS="QUOTE"
	>"root"</SPAN
	> User a Password</B
	></P
	><TABLE
	BORDER="0"
	BGCOLOR="#E0E0E0"
	WIDTH="100%"
	><TR
	><TD
	><FONT
	COLOR="#000000"
	><PRE
	CLASS="screen"
	> <SAMP
	CLASS="prompt"
	>bash$</SAMP
	> mysql mysql
	<SAMP
	CLASS="prompt"
	>mysql></SAMP
	> UPDATE user SET password = password('<VAR
	CLASS="replaceable"
	>new_password</VAR
	>') WHERE user = 'root';
	<SAMP
	CLASS="prompt"
	>mysql></SAMP
	> FLUSH PRIVILEGES;
	</PRE
	></FONT
	></TD
	></TR
	></TABLE
	></DIV
	><DIV
	CLASS="example"
	><A
	NAME="security-mysql-account-anonymous"
	></A
	><P
	><B
	>Example 4-2. Disabling the MySQL <SPAN
	CLASS="QUOTE"
	>"anonymous"</SPAN
	> User</B
	></P
	><TABLE
	BORDER="0"
	BGCOLOR="#E0E0E0"
	WIDTH="100%"
	><TR
	><TD
	><FONT
	COLOR="#000000"
	><PRE
	CLASS="screen"
	> <SAMP
	CLASS="prompt"
	>bash$</SAMP
	> mysql -u root -p mysql <A
	NAME="security-mysql-account-anonymous-mysql"
	><IMG
	SRC="../images/callouts/1.gif"
	HSPACE="0"
	VSPACE="0"
	BORDER="0"
	ALT="(1)"></A
	>
	<SAMP
	CLASS="prompt"
	>Enter Password:</SAMP
	> <VAR
	CLASS="replaceable"
	>new_password</VAR
	>
	<SAMP
	CLASS="prompt"
	>mysql></SAMP
	> DELETE FROM user WHERE user = '';
	<SAMP
	CLASS="prompt"
	>mysql></SAMP
	> FLUSH PRIVILEGES;
	</PRE
	></FONT
	></TD
	></TR
	></TABLE
	><DIV
	CLASS="calloutlist"
	><DL
	COMPACT="COMPACT"
	><DT
	><A
	HREF="security-mysql.html#security-mysql-account-anonymous-mysql"
	><IMG
	SRC="../images/callouts/1.gif"
	HSPACE="0"
	VSPACE="0"
	BORDER="0"
	ALT="(1)"></A
	></DT
	><DD
	>This command assumes that you have already completed
	<A
	HREF="security-mysql.html#security-mysql-account-root"
	>Example 4-1</A
	>.
	</DD
	></DL
	></DIV
	></DIV
	></DIV
	><DIV
	CLASS="section"
	><H2
	CLASS="section"
	><A
	NAME="security-mysql-network"
	>4.2.3. Network Access</A
	></H2
	><P
	>If MySQL and your webserver both run on the same machine and you
	have no other reason to access MySQL remotely, then you should disable
	the network access. This, along with the suggestion in
	<A
	HREF="security-os.html#security-os-ports"
	>Section 4.1.1</A
	>, will help protect your system from
	any remote vulnerabilites in MySQL.
	</P
	><DIV
	CLASS="example"
	><A
	NAME="security-mysql-network-ex"
	></A
	><P
	><B
	>Example 4-3. Disabling Networking in MySQL</B
	></P
	><P
	>Simply enter the following in <TT
	CLASS="filename"
	>/etc/my.conf</TT
	>:
	<TABLE
	BORDER="0"
	BGCOLOR="#E0E0E0"
	WIDTH="100%"
	><TR
	><TD
	><FONT
	COLOR="#000000"
	><PRE
	CLASS="screen"
	> [myslqd]
	# Prevent network access to MySQL.
	skip-networking
	</PRE
	></FONT
	></TD
	></TR
	></TABLE
	>
	</P
	></DIV
	></DIV
	></DIV
	><DIV
	CLASS="NAVFOOTER"
	><HR
	ALIGN="LEFT"
	WIDTH="100%"><TABLE
	SUMMARY="Footer navigation table"
	WIDTH="100%"
	BORDER="0"
	CELLPADDING="0"
	CELLSPACING="0"
	><TR
	><TD
	WIDTH="33%"
	ALIGN="left"
	VALIGN="top"
	><A
	HREF="security-os.html"
	ACCESSKEY="P"
	>Prev</A
	></TD
	><TD
	WIDTH="34%"
	ALIGN="center"
	VALIGN="top"
	><A
	HREF="index.html"
	ACCESSKEY="H"
	>Home</A
	></TD
	><TD
	WIDTH="33%"
	ALIGN="right"
	VALIGN="top"
	><A
	HREF="security-webserver.html"
	ACCESSKEY="N"
	>Next</A
	></TD
	></TR
	><TR
	><TD
	WIDTH="33%"
	ALIGN="left"
	VALIGN="top"
	>Operating System</TD
	><TD
	WIDTH="34%"
	ALIGN="center"
	VALIGN="top"
	><A
	HREF="security.html"
	ACCESSKEY="U"
	>Up</A
	></TD
	><TD
	WIDTH="33%"
	ALIGN="right"
	VALIGN="top"
	>Webserver</TD
	></TR
	></TABLE
	></DIV
	></BODY
	></HTML
	>