BugsSite/docs/html/security-mysql.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>MySQL</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="The Bugzilla Guide - 2.20.1 
    Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Bugzilla Security"
HREF="security.html"><LINK
REL="PREVIOUS"
TITLE="Operating System"
HREF="security-os.html"><LINK
REL="NEXT"
TITLE="Webserver"
HREF="security-webserver.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Bugzilla Guide - 2.20.1 
    Release</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="security-os.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 4. Bugzilla Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="security-webserver.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="security-mysql"
>4.2. MySQL</A
></H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-mysql-account"
>4.2.1. The MySQL System Account</A
></H2
><P
>As mentioned in <A
HREF="security-os.html#security-os-accounts"
>Section 4.1.2</A
>, the MySQL
      daemon should run as a non-privleged, unique user. Be sure to consult
      the MySQL documentation or the documentation that came with your system
      for instructions.
      </P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-mysql-root"
>4.2.2. The MySQL <SPAN
CLASS="QUOTE"
>"root"</SPAN
> and <SPAN
CLASS="QUOTE"
>"anonymous"</SPAN
> Users</A
></H2
><P
>By default, MySQL comes with a <SPAN
CLASS="QUOTE"
>"root"</SPAN
> user with a
      blank password and an <SPAN
CLASS="QUOTE"
>"anonymous"</SPAN
> user, also with a blank
      password. In order to protect your data, the <SPAN
CLASS="QUOTE"
>"root"</SPAN
> user
      should be given a password and the anonymous user should be disabled.
      </P
><DIV
CLASS="example"
><A
NAME="security-mysql-account-root"
></A
><P
><B
>Example 4-1. Assigning the MySQL <SPAN
CLASS="QUOTE"
>"root"</SPAN
> User a Password</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<SAMP
CLASS="prompt"
>bash$</SAMP
> mysql mysql
<SAMP
CLASS="prompt"
>mysql&#62;</SAMP
> UPDATE user SET password = password('<VAR
CLASS="replaceable"
>new_password</VAR
>') WHERE user = 'root';
<SAMP
CLASS="prompt"
>mysql&#62;</SAMP
> FLUSH PRIVILEGES;
        </PRE
></FONT
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="example"
><A
NAME="security-mysql-account-anonymous"
></A
><P
><B
>Example 4-2. Disabling the MySQL <SPAN
CLASS="QUOTE"
>"anonymous"</SPAN
> User</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<SAMP
CLASS="prompt"
>bash$</SAMP
> mysql -u root -p mysql           <A
NAME="security-mysql-account-anonymous-mysql"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
>
<SAMP
CLASS="prompt"
>Enter Password:</SAMP
> <VAR
CLASS="replaceable"
>new_password</VAR
>
<SAMP
CLASS="prompt"
>mysql&#62;</SAMP
> DELETE FROM user WHERE user = '';
<SAMP
CLASS="prompt"
>mysql&#62;</SAMP
> FLUSH PRIVILEGES;
        </PRE
></FONT
></TD
></TR
></TABLE
><DIV
CLASS="calloutlist"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="security-mysql.html#security-mysql-account-anonymous-mysql"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>This command assumes that you have already completed
            <A
HREF="security-mysql.html#security-mysql-account-root"
>Example 4-1</A
>.
            </DD
></DL
></DIV
></DIV
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-mysql-network"
>4.2.3. Network Access</A
></H2
><P
>If MySQL and your webserver both run on the same machine and you
      have no other reason to access MySQL remotely, then you should disable
      the network access. This, along with the suggestion in
      <A
HREF="security-os.html#security-os-ports"
>Section 4.1.1</A
>, will help protect your system from
      any remote vulnerabilites in MySQL.
      </P
><DIV
CLASS="example"
><A
NAME="security-mysql-network-ex"
></A
><P
><B
>Example 4-3. Disabling Networking in MySQL</B
></P
><P
>Simply enter the following in <TT
CLASS="filename"
>/etc/my.conf</TT
>:
        <TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;[myslqd]
# Prevent network access to MySQL.
skip-networking
        </PRE
></FONT
></TD
></TR
></TABLE
>
        </P
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="security-os.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="security-webserver.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Operating System</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="security.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Webserver</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>