despre compartiment
Aici puteti gasi articole in romana despre instalarea, configurarea si administrarea unor servicii precum si a intregului sistem.
login
articole
05.06.05 21:17Instalarea si securizarea MySQL pe FreeBSD
Ultima modificare: 05.06.05 21:20

Articolul dat descrie instalarea securizata a unui serverul MySQL pe un sistem ruland FreeBSD.


Securitatea MySQL va fi sporita prin:



- mysql serverul va rula intr-un mediu chroot
- mysql serverul va rula cu drepturile unui utilizator unic, neprivilegiat
- accesul la mysql il vor avea doar aplicatiile locale
- se va bloca accesul anonim la baza da date precum si se vor sterge bazele de date la care ar putea avea acces
orice utilizator .


Instalarea MySQL se va face din colectia de porturi:



[root@host]# cd /usr/ports/databases/mysql40-server
[root@host]# make WITHOUT_INNODB=yes WITH_LINUXTHREADS=yes BUILD_STATIC=yes BUILD_OPTIMIZED=yes install
clean


Dupa instalarea cu succes a MySQL cream mediul chroot :



[root@host]# mkdir -p /chroot/mysql/dev
[root@host]# mkdir -p /chroot/mysql/etc
[root@host]# mkdir -p /chroot/mysql/tmp
[root@host]# mkdir -p /chroot/mysql/var/db
[root@host]# mkdir -p /chroot/mysql/usr/local/libexec
[root@host]# mkdir -p /chroot/mysql/usr/local/bin
[root@host]# mkdir -p /chroot/mysql/usr/local/share/mysql/english


Pe un sistem FreeBSD 4.x va fi nevoie sa cream manual device-ul /dev/null in chroot

[root@host]# mknod /chroot/mysql/dev/null c 2 2
[root@host]# chmod 666 /chroot/mysql/dev/null


Pe un sistem FreeBSD 5.x nu avem nevoie sa-l cream manual , datorita prezentei devfs.
Mountam devfs in /chroot/mysql/dev

[root@host]# /sbin/mount_devfs devfs /chroot/mysql/dev

si adaugam in /etc/fstab urmatoarea linie:


devfs /chroot/mysql/dev devfs rw 0 0


Din motive de securitate o sa pastram numai null in /chroot/mysql/dev :



[root@host]# /sbin/devfs -m /chroot/mysql/dev rule apply hide
[root@host]# /sbin/devfs -m /chroot/mysql/dev rule apply path null unhide


Adaugati aceste 2 linii in /etc/rc.local.


In continuare setam permisiile corecte:



[root@host]# chown -R root /chroot/mysql
[root@host]# chmod -R 755 /chroot/mysql
[root@host]# chmod 1777 /chroot/mysql/tmp


Copiem fisierele de sistem necesare rularii corecte a serviciului MySQL:



[root@host]# cp /etc/hosts /chroot/mysql/etc/
[root@host]# cp /etc/host.conf /chroot/mysql/etc/
[root@host]# cp /etc/resolv.conf /chroot/mysql/etc/
[root@host]# cp /etc/localtime /chroot/mysql/etc/


Copiem fisierele ce tin de MySQL in mediul chroot:



[root@host]# cp /usr/local/share/mysql/my-large.cnf /chroot/mysql/etc/my.cnf

(inclocuiti my-large.cnf cu fisierul ce va va satisface mai bine necesitatile/posibilitatile)



[root@host]# cp /usr/local/libexec/mysqld /chroot/mysql/usr/local/libexec/
[root@host]# cp /usr/local/share/mysql/english/errmsg.sys /chroot/mysql/usr/local/share/mysql/english/
[root@host]# cp -Rp /var/db/mysql /chroot/mysql/var/db


Vom avea nevoie de chrootuid(8) pentru a continua.
Chrootuid este o combinatie intre chroot(8) si su(1) necesar pentru a rula cu privilegii scazute o
aplicatie intr-un mediu restrictionat.


Il instalam , daca inca nu este prezent in sistem:
[root@host]# cd /usr/ports/security/chrootuid && make install clean



Verificam corectitudinea instalarii ruland:
[root@host]# chrootuid /chroot/mysql mysql /usr/local/libexec/mysqld &


Adaugam in ~/.my.cnf :
socket = /chroot/mysql/tmp/mysql.sock


pentru a folosi socket-ul corect la conectare .


Dupa cream fisierul /usr/local/etc/rc.d/mysql.sh cu urmatorul continut :




#!/bin/sh
CHROOT_MYSQL=/chroot/mysql
SOCKET=/tmp/mysql.sock
MYSQLD=/usr/local/libexec/mysqld
PIDFILE=/var/db/mysql/`hostname`.pid
CHROOTUID=/usr/local/sbin/chrootuid
echo -n " mysql"
case "$1" in
start)
nohup ${CHROOTUID} ${CHROOT_MYSQL} mysql ${MYSQLD} --defaults-extra-file=/var/db/mysql/my.cnf --user=mysql --datadir=/var/db/mysql --skip-networking --skip-name-resolve --pid-file=${PIDFILE} >/dev/null 2>&1 &
;;
stop)
kill `cat ${CHROOT_MYSQL}/${PIDFILE}`
;;
*)
echo ""
echo "Usage: `basename $0` {start|stop}" >&2
exit 0
;;
esac
exit 0



si stergem fisierul /usr/local/etc/rc.d/mysql-server.sh .

Dupa start-ul MySQL , setam o parola pentru utilizatorul root:



mysql> SET PASSWORD FOR root=PASSWORD('VhYH00F3yU');
Query OK, 0 rows affected (0.00 sec)


Apoi stergem tabela test precum si orice alt user diferit de root :



mysql> drop database test;
Query OK, 0 rows affected (0.00 sec)


mysql> delete from mysql.user where not (host="localhost" and user="root");
Query OK, 3 rows affected (0.00 sec)


Pentru a preveni posibilitatea utilizatorilor de a accesa date neautorizate prin intermediul comenzii
"LOAD DATA LOCAL INFILE" adaugam in fisierul /chroot/mysql/etc/my.cnf , sectiunea [mysqld]
linia:



set-variable=local-infile=0


Aceste metode nu va dau siguranta completa ca serverul MySQL nu este o bresa in securitatea sistemului , dar cel putin fac perturbarea securitatii mult mai dificila .



Autor: GRisha
Comentarii: 5

18.01.06 20:44e0f
foarte ineterasnt . tipic pentru un utilizator linux . in freebsd , draga , se face cd /usr/ports/database/mysqVER-server/ si apoi make install . te asigur ca freebsd ca instala singur , si va face tot ce trebuie .

26.02.06 04:38Lucian
ha? wtf draga!

05.03.06 22:43gr
Se pare ca incurci ceva

12.04.06 01:35gr
ceva asemanator:

http://www.kitebird.com/articles/ins-sec.html

23.08.06 22:54gr
inca un articol
http://www.builderau.com.au/program/mysql/soa/Six_st
eps_to_secure_sensitive_data_in_MySQL/0,39028784,39266102,00.htm

Adauga Comentariu:
Nume:
E-mail:
Cometariu:
 
counter
Informatia de pe site este prezentata "AS IS" si nimeni NU garanteaza veridicitatea sa
Hosting si intretinerea site-ului - REMSYS © 2003-2007