The following no longer requires system root permissions. Replace 'yourrootsqlpassword' with your password for MySQL root user (without ' quotes) # mysqladmin -u root password 'yourrootsqlpassword' Then, start mysqld if not already running: # /sbin/service mysqld restartĪnd establish a database root user password for MySQL (if not already done): As system root, the following will install the packages from the standard CentOS archives: You will need (if not already installed) VSFTPD and MySQL. A simple general rule is : Do not 'reuse' passwords between accounts with special rights Additionally, this protects against the case of there being found a method to reverse the password hash out of a backup copy of a MySQL database, or administrator error using a 'cleartext' password for the database account. This provides some protection in case there are found to exist exploits to mysql to avoid exposing this potentially valuable credential out of the database, to leverage an escalation to the local system root account to get access to the server. That account should have its own separate password (not the same as general system account root ). We follow that convention, and in this example use the MySQL root account. The security model of MySQL can protect its databases with user level ACL permissions by convention, the MySQL account: root is use for superuser operations on that ACL database, giving them access, permissions to read, write, modify. Backups and restores are simplified to a subset of a directory tree, compared to having local FTP only accounts scattered amongst shell accounts in the /home/ directory under the default model. This is particularly important for protocols such as ftp that send plain text login credentials.Īll user content are located down one directory tree, potentially with user specific ACL settings as needed. ![]() As such, less exposure is presented to potential cackers thus minimising the risk of any compromise. It avoids granting general shell capable local accounts for users only needing FTP access. Indeed, nothing prevents setting up a non-MySQL root user with permissions to modify just the vsftpd ACL database, permitting even greater security, although such methodology is outside the scope of this article. Using sudo and a bit of scripting, one can avoid granting unrestricted system root rights to non-admins doing day to day administration of the system. Storing usernames and passwords in a database is easy to maintain, even for local managers not familiar with Unix security models.Īside of supporting initial sub-directory setup for new users, it avoids the need to share system root rights.Using Virtual Accounts with VSFTPD (Very Secure FTP server) and MySQL on CentOS 5Īdvantages of virtual user accounts compared to local users
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |