Secure MySQL

Basic steps you can take to harden your MySQL installation.

MySQL (http://www.mysql.com), one of the most popular open source database systems available today, is often used in conjunction with both the Apache web server and the PHP scripting language to drive dynamic content on the Web. However, MySQL is a complex piece of software internally and, given the fact that it often has to interact both locally and remotely with a broad range of other programs, special care should be taken to secure it as much as possible.

Some steps you can take are running MySQL in a chrooted environment [Hack #10] , running it as a nonroot user, and disabling MySQL’s ability to load data from local files. Luckily, none of these are as hard to do as they may sound. To start with, let’s look at how to chroot() MySQL.

First create a user and group for MySQL to run as. Next, you’ll need to download the MySQL source distribution. After you’ve done that, unpack it and go into the directory that it created. Run this command to build MySQL and set up its directory structure for chrooting:

$ ./configure --prefix=/mysql --with-mysqld-ldflags=-all-static && make

This configures MySQL to be installed in /mysql and statically links the mysqld binary. This will make setting up the chroot environment much easier, since you won’t need to copy any additional libraries to the environment.

After the compilation finishes, become root and then run these commands to install MySQL:

# make install DESTDIR=/mysql_chroot ...

Get Network Security Hacks now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.