At 5:15 PM -0400 2000-04-04, Thimble Smith wrote:
>On Tue, Apr 04, 2000 at 11:05:00AM -0500, Paul DuBois wrote:
>>Note that each method may present security problems:
>>- If you don't make ~/.my.cnf readable only to you, other user may be
>> able to see it.
>This, to me, sounds like saying:
> If you make .signature a symbolic link to .my.cnf, anyone who
> receives an e-mail from you will know your MySQL password.
Okay, yeah, I wrote it in a dumb way. I should have said, "make
the file readable only to yourself so that other users can't see it"
or something slightly less tautological. :-)
>I know it's not *that* extreme, but really it's just a matter of
>a small amount of education. A system administrator should make
>the users' home directories 0700 by default, and users should get
>a very brief message about security when they get their account.
Yeah, but some situations call for users in a group to make their
directories readable by other people in the same group. It's unrealistic
to force such users to have mode-700 home directories. So you still
want to make the .my.cnf file mode 400 or 600.
>I know that's idealistic, but at the same time, there's just no
>way to make this safe unless people have some understanding of
>the environment they work in. I think the tricky problems with
>environment variables and command lines are much harder to grasp
>than the problems with file permissions.
>The reason I mention this is that I don't want people to get
>the idea that having a .my.cnf file is a security risk. Yes,
>having one that is world-readable is a security risk, but the
>only reason you'd do that is because you hadn't learned about
>Unix permissions. There's no good reason to do it. And, if it's
Sure. *You* agree with that, and *I* agree with that, but there
are plenty of users who simply don't want to be bothered. I have
lots of local users who aren't even aware they have a .my.cnf file.
They access MySQL only through canned queries and they don't want
to know any more about MySQL than how to run these scripts. They
just want to get the information that's of interest to them, they
don't want to become UNIX geeks.
My position is that I prefer .my.cnf over specifying the password
on the command line or in the environment, but that .my.cnf still
has a very real potential to be a security risk. For this reason,
I run the script I've included below nightly out of root's cron
to look for insecure .my.cnf files.
>readable by you only, and someone else reads it, that someone
>else must be root. Root can read anything on the machine, so
>most likely your data are not safe anyway. IF your data are on
>another machine, and you don't trust the system administrators
>for your own machine, then you might want to avoid using .my.cnf.
>(Actually, you'd need to avoid using that machine at all, because
>the administrator could just change the mysql program to log
Here's my .my.cnf-checker:
# Script type: Perl5
# Check user .my.cnf files for improper mode (should be accessible only
# to owner).
# Usage: see $usage variable below
# Should be run as root so that all files can be checked.
# 28 Nov 1998
# Paul DuBois
use vars qw($opt_a $opt_v);
# begin configurable parameters
my ($mailer) = "/usr/lib/sendmail -t -oi -odq";
# end configurable parameters
my ($prog, $usage);
($prog = $0) =~ s|.*/||; # get script name for messages
$usage = "Usage: $prog [ -a ] [ -v ]
-a \"annoy\" mode - send mail to users of insecure files
-v verbose mode";
getopts ("av") or die "$usage\n";
my ($annoy) = defined ($opt_a);
my ($verbose) = defined ($opt_v);
my ($pwd_file) = "/etc/passwd";
my ($login, $pwd, $uid, $gid, $gecos, $home, $shell);
my ($cnf_file, $mode);
open (IN, $pwd_file) or die "$prog: cannot open $pwd_file: $!\n";
($login, $pwd, $uid, $gid, $gecos, $home, $shell) = split (/:/, $_);
if ($home eq "")
$verbose and warn "$login: no home directory\n";
if (! -d $home)
$verbose and warn "$login: missing or unreadable home
$cnf_file = "$home/.my.cnf";
if (! -f $cnf_file)
$verbose and warn "$login: no .my.cnf file\n";
$mode = (stat ($cnf_file)) & 0777;
if ($mode & 077) # get "group" and "other" bits
printf "$login: .my.cnf file is insecure (mode %o)\n", $mode;
# Send mail to owner of insecure options file. This is called annoy
# mode because if this script is run nightly out of cron, owners of
# such files get a nag message every night until they fix the problem.
my ($recipient) = shift;
$annoy or return;
$verbose and warn "Sending message to $recipient...\n";
open (OUT, "| $mailer") or return;
print OUT <<EOF;
Subject: Your .my.cnf file is insecure
The .my.cnf file in your home directory is insecure (that is, it
is accessible to users other than yourself). To fix this problem,
execute the following commands:
% chmod go-rwx .my.cnf
Paul DuBois, paul@stripped