List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:April 3 2000 11:47am
Subject:Re: FILE privilege question
View as plain text  
At 12:44 AM -0400 2000-04-03, David R. Saunders wrote:
>MySQL folks,
>   This question centers on the granting of FILE privilege
>when coupled with the ability to run the MySQL daemon
>as another user.
>
>   Let's say I setup the unix user "mysql" which
>I then use as the user to run the MySQL daemon as
>(bin/safe_mysqld --user=mysql &).
>
>   Let's also say that I create a corresponding
>MySQL user account called "mysql" with is a
>MySQL root-equivalent.
>
>   Finally, I place the password for MySQL user "mysql"
>into the unix file /home/mysql/.my.cnf:
>
>	[client]
>	password=somepass
>
>and set the permissions to 0600.  This allows the
>unix user "mysql" to login using bin/mysql without
>having to supply a password, and, more importantly,
>allows any perl scripts also running as unix user
>"mysql" to read this password and connect to the
>daemon when needed.
>
>   All of this should be ok, safe and secure.  I
>prefer this setup because the daemon runs non-root
>and because many unix architectures have root's
>home directory in "/", and I don't like putting
>.my.cnf here.
>
>   But if I then grant any mysql user FILE privilege,
>will I expose the /home/mysql/.my.cnf file?

Yes.

>The documentation (section 6.7) says that, "Any
>user to whom this privilege is granted can read or
>write any file that the MySQL server can read or
>write."  It seems that I would also be exposing
>all databases, since they would all be owned by
>unix user "mysql" as well.
>
>   Can anyone tell me if I am correctly interpreting
>this statement?


You are.  If the UNIX user as whom the server runs
cannot access the database files, the server is
kind of useless.

>
>   Just being sure of my understanding.  If this is in fact
>the case it might not be a bad idea to put some additional
>comments in the manual in section 6.7, plus where
>the --user= mysqld command-line option is detailed
>(not to mention the mSQL/MySQL O'Reilly text as well).


What comment do you suggest?

-- 
Paul DuBois, paul@stripped
Thread
FILE privilege questionDavid R. Saunders3 Apr
Re: FILE privilege questionPaul DuBois3 Apr
  • Re: FILE privilege questionDavid R. Saunders4 Apr
    • Re: FILE privilege questionThimble Smith4 Apr
      • Re: FILE privilege questionPaul DuBois4 Apr
        • Re: FILE privilege questionDavid R. Saunders4 Apr
          • Re: FILE privilege questionThimble Smith4 Apr
        • Re: FILE privilege questionThimble Smith4 Apr