SpirirHost Support Centre: MySQL Reference Manual p.195

<< previous page -- table of contents -- next page >>

Chapter_1

Chapter_2

Chapter_3

Chapter_4

Chapter_5

Return to Table of Contents

Table of Contents
1. General Information
2. MySQL Installation
3. Tutorial Introduction
4. Database Administration
5. MySQL Optimisation
6. MySQL Language Reference
7. MySQL Table Types
8. MySQL APIs
9. Extending MySQL

Chapter 4: Database Administration 195 mysqld can be run as an ordinary unprivileged user instead. You can also create a new Unix user mysql to make everything even more secure. If you run mysqld as another Unix user, you don't need to change the root user name in the user table, because MySQL user names have nothing to do with Unix user names. To start mysqld as another Unix user, add a user line that species the user name to the [mysqld] group of the `/etc/my.cnf' option le or the `my.cnf' option le in the server's data directory. For example: [mysqld] user=mysql This will cause the server to start as the designated user whether you start it manu- ally or by using safe_mysqld or mysql.server. For more details, see Section A.3.2 [Changing MySQL user], page 638. Don't support symlinks to tables (this can be disabled with the --skip-symlink op- tion). This is especially important if you run mysqld as root as anyone that has write access to the mysqld data directories could then delete any le in the system! See Section 5.6.1.2 [Symbolic links to tables], page 374. Check that the Unix user that mysqld runs as is the only user with read/write privileges in the database directories. Don't give the PROCESS privilege to all users. The output of mysqladmin processlist shows the text of the currently executing queries, so any user who is allowed to ex- ecute that command might be able to see if another user issues an UPDATE user SET password=PASSWORD('not_secure') query. mysqld reserves an extra connection for users who have the PROCESS privilege, so that a MySQL root user can log in and check things even if all normal connections are in use. Don't give the FILE privilege to all users. Any user that has this privilege can write a le anywhere in the lesystem with the privileges of the mysqld daemon! To make this a bit safer, all les generated with SELECT ... INTO OUTFILE are readable to everyone, and you cannot overwrite existing les. The FILE privilege may also be used to read any le accessible to the Unix user that the server runs as. This could be abused, for example, by using LOAD DATA to load `/etc/passwd' into a table, which can then be read with SELECT. If you don't trust your DNS, you should use IP numbers instead of hostnames in the grant tables. In any case, you should be very careful about creating grant table entries using hostname values that contain wildcards! If you want to restrict the number of connections for a single user, you can do this by setting the max_user_connections variable in mysqld. 4.2.3 Startup Options for mysqld Concerning Security The following mysqld options aect security: --local-infile[=(0|1)] If one uses --local-infile=0 then one can't use LOAD DATA LOCAL INFILE.

MySQL Reference Manual

Home
Hosting Plans \| Domain Registration \| About Us \| Contact Us \| Site Map Terms of Use \| Privacy Policy \| Guarantees Merchant Accounts

SpiritHost - web hosting for spiritual and education sites SpiritHit.com - Religious and Spiritual Portal Copyright © 2002 Dyntex Group, Inc. All Rights Reserved

Return to Table of Contents	Back to top

Web Hosting: Manuals & FAQ's

1. Unix-Based Web Hosting
2. Unix Dedicated Servers
3. Windows Dedicated Servers
4. CuteFTP User’s Guide
5. CuteHTML User’s Guide
6. WS_FTP Pro User's Guide
7. Miva Order User's Guide
8. Miva Merchant User's Guide