At 5:03 PM +0200 2000-03-22, sinisa@stripped wrote:
>Chuck Braidwood writes:
> > Are there any security issues with running the MySQL daemon as root?
> > We are setting up a web-based database application with MySQL, Apache,
> > and PHP. I have found in the documentation HOW to run MySQL under
> > a different account, but should I? Thanks.
> >
> > Chuck Braidwood
> > cbraidwo@stripped
> >
> >
>
>
>HI!
>
>There are some security issues, like exporting data to files,
>e.g. with select ... into . If MySQL is run under root uid, then any
>file could be overwritten.
?
It's true that you shouldn't run anything as root that doesn't need
to be run as root (and the MySQL server doesn't need to be), but
I thought that SELECT ... INTO requires that the output file not
exist, to prevent files from being overwritten. On the other hand,
a root-privilege server can *read* any file on the server, which is
enough of a security risk in itself. And being able to write files,
even if they don't yet exist, is bad. Suppose the machine doesn't
have an /etc/hosts.equiv file -- you could get the server to create
one. Yow.
--
Paul DuBois, paul@stripped
