Printed by

May 21, 03 7:59
Chris Verges
Michael Imamura
Table of Contents
1. What is MySQL?
2. How do I install MySQL?
3. Configuration Files
4. Securing the Configuration Files
5. What about SSL magic?
6. Miscellaneous Notes
Securing_MySQL.txt Page 1/5 May 21, 03 7:59 Securing_MySQL.txt Page 2/5
9 January 2003 tar xvfz mysql−VERSION.tar.gz
LUG@GT cd mysql−VERSION
CFLAGS="−O3 −mpentiumpro" CXX=gcc CXXFLAGS="−O3 −mpentiumpro \
Securing MySQL −felide−constructors −fno−exceptions −fno−rtti" ./configure \
−−−−−−−−−−−−−−−−−− −−prefix=/usr/local/mysql −−enable−assembler \
−−with−mysqld−ldflags=−all−static
make
make install
scripts/mysql_install_db
chown −R root /usr/local/mysql
chown −R mysql /usr/local/mysql/var
chgrp −R mysql /usr/local/mysql
cp support−files/my−medium.cnf /etc/my.cnf
/usr/local/mysql/bin/safe_mysqld −−user=mysql &

3. Configuration Files
1. What is MySQL?
There are three files MySQL reads by default for configuration:
The MySQL database server is the world’s most popular open source /etc/mysql/my.cnf Global settings
database. Its architecture makes it extremely fast and easy to DATADIR/my.cnf Server−specific options
customize. Extensive reuse of code within the software and a ~/.my.cnf User−specific options
minimalistic approach to producing functionally−rich features has
resulted in a database management system unmatched in speed, The DATADIR directory will be the MySQL data directory, typically
compactness, stability and ease of deployment. The unique /usr/local/mysql/data or /usr/local/var.
separation of the core server from the storage engine makes it
possible to run with strict transaction control or with ultra−fast Option files can contain any of the following lines:
transactionless disk access, whichever is most appropriate for the #comment
situation. [group]
option
The MySQL database server is available for free under the GNU option=value
General Public License (GPL). Commercial licenses are available set−variable = variable=value
for users who prefer not to be restricted by the terms of the GPL.
The standard *nix escape sequences still apply here. All leading
(Taken from http://www.mysql.com/products/mysql/) and trailing whitspace is automatically deleted.
There are four different versions of MySQL available. The one A standard configuration file would be:
most commonly referred to is "MySQL Standard," which includes the
MySQL storage engines and InnoDB storage engines. For 99% of the [client]
applications out there, this is good enough (tm). However, if #password = my_password
the licensee is a for−profit corporation (e.g., not non−profit), port = 3306
MySQL comes in the Pro form, which basically is the same thing socket = /var/run/mysqld/mysqld.sock
with a different LICENSE.TXT file. :−)
[safe_mysqld]
err−log = /var/log/mysql/mysql.err
[mysqld]
2. How do I install MySQL? #skip−networking
skip−innodb
Install Gentoo and delete pico/nano. user = mysql
pid−file = /var/run/mysqld/mysqld.pid
MySQL runs on most *nix platforms and quite a few Microsoft−based socket = /var/run/mysqld/mysqld.sock
ones as well. The source/binaries can be downloaded from port = 3306
http://www.mysql.com/downloads/mysql.html. log = /var/log/mysql/mysql.log
basedir = /usr
For Gentoo (portage−based systems): datadir = /var/lib/mysql
emerge mysql tmpdir = /tmp
language = /usr/share/mysql/english
For Redhat (RPM systems): skip−locking
(download Server, Client programs, Libraries and Header files, set−variable = key_buffer=16M
and Client shared libraries) set−variable = max_allowed_packet=1M
rpm −i MySQL−*.rpm set−variable = thread_stack=128K
From source code (for MySQL Version < 4): [mysqldump]
groupadd mysql quick
useradd −g mysql mysql set−variable = max_allowed_packet=1M

Wednesday May 21, 2003 Securing_MySQL.txt 1/3

 Printed by
May 21, 03 7:59 Securing_MySQL.txt Page 3/5 May 21, 03 7:59 Securing_MySQL.txt Page 4/5

[mysql]
#no−auto−rehash # faster start of mysql but no tab completition
[isamchk]
set−variable = key_buffer=16M
4. Securing the Configuration Files
There are many ways to secure MySQL by using the /etc/mysql/my.cnf
configuration file.
o Changing the default port for the server and the clients.
set ’port = 3306’ to some other value, like ’port = 27098’.
o Use the ’bind−address’ variable to bind MySQL only to the
localhost (127.0.0.1).
bind−address = 127.0.0.1
o By using the ’skip−name−resolve’ directive, clients that
attempt to authenticate to the server must do so using the
IP only; that is, DNS resolution will not work for
authentication. While this isn’t a wonderful security
procedure, it is something that could slow a potential hack.
o The ’safe−show−database’ directive will only display
databases for which the authenticated user has some read/
write privileges. Otherwise, ’SHOW DATABASE’ will return
every database the system includes.
So a ’more secure’ configuration file could be:
MySQL 3.x does not support SSL; MySQL 4.x, however, does. Since the
4.x line was just released, this author does not have much experience
with all the changes and wrote this tutorial for 3.x. Documentation
can be found on MySQL’s website at http://www.mysql.com.
However, MySQL 3.x can be used in conjunction with stunnel. stunnel
creates an encrypted tunnel from the client to the server through
which all database transactions can be securely transmitted over the
’net.
stunnel can be obtained from http://www.stunnel.org. It runs on *nix
and Windows boxes so it makes a very useful addition to the MySQL
setup. Compiling and installing is a simple matter of reading the
Install file located in the tar file (or just typing ’emerge
stunnel’, though this does not give you the latest version).
stunnel is currently in its fourth major version. On Gentoo it can be
installed by typing:
emerge /usr/portage/net−misc/stunnel/stunnel−4.x.ebuild
Otherwise, you can download and install stunnel from
http://www.stunnel.org. The basic install procedures are simple enough.
You still need to create the stunnel.pem file, however (used for openssl
encryption). Since Gentoo handles all the installation, there are a few
commands beyond the ordinary you need to run:
ebuild /usr/portage/net−misc/stunnel/stunnel−4.x.ebuild \
fetch unpack compile
cd /var/tmp/portage/stunnel−4.x/work/stunnel/tools/

[client] Now, regardless of operating system, you need to create the stunnel.pem
port = 40044 file:
socket = /var/run/mysqld/mysqld.sock
make stunnel.pem
[safe_mysqld] chown root:root stunnel.pem
err−log = /var/log/mysql/mysql.err chmod 400 stunnel.pem
cp stunnel.pem /etc/stunnel/stunnel.pem
[mysqld]
skip−innodb This procedure will need to be repeated on both client and server.
user = mysql There will be options you need to type in for stunnel.pem ... simple
pid−file = /var/run/mysqld/mysqld.pid enough to BS, so have fun.
socket = /var/run/mysqld/mysqld.sock
port = 40044 For the server, you will have to modify the /etc/stunnel/stunnel.conf
log = /var/log/mysql/mysql.log file as such:
basedir = /usr
datadir = /var/lib/mysql cert = /etc/stunnel/stunnel.pem
tmpdir = /tmp pid = /var/tmp/stunnel/stunnel.pid
language = /usr/share/mysql/english
skip−locking setuid = nobody
set−variable = key_buffer=16M setgid = nobody
set−variable = max_allowed_packet=1M
set−variable = thread_stack=128K client = no
bind−address = 127.0.0.1
skip−name−resolve [3306] <−− replace this with your regular mysql port
safe−show−database accept = 3307 <−− replace this with your mysql ssl port
connect = 3306 <−− replace this with your regular mysql port
[mysqldump]
quick For the client, you will have to modify the /etc/stunnel/stunnel.conf
set−variable = max_allowed_packet=1M file as such:
[isamchk] cert = /etc/stunnel/stunnel.pem
set−variable = key_buffer=16M pid = /var/tmp/stunnel/stunnel.pid

setuid = nobody
setgid = nobody
5. What about SSL magic? client = yes

Wednesday May 21, 2003 Securing_MySQL.txt 2/3

 Printed by
May 21, 03 7:59 Securing_MySQL.txt Page 5/5

[3307] <−− replace this with your mysql ssl port

accept = 3306 <−− replace this with your regular mysql port
connect = server:3307 <−− replace this with your server IP and
mysql ssl port
After these files have been modified, start the stunnel daemon. On
Gentoo it can be started by running ’/etc/init.d/stunnel start’. Make
sure both the client and the server are running this daemon and that the
server has the mysql engine running.

At this point, simply typing ’mysql −h server −u user −p’ should connect
from the client to the server over the SSL connection.
Better reference for stunnel setup can be found at
http://www.freebsddiary.org/stunnel−v3−to−v4.php.

6. Miscellaneous Notes

Since I didn’t have a Redhat box available, I couldn’t see how to do

this via RPMs. However, after installing MySQL from the RPMS, you can
still configure all the options in the my.cnf file and can still use
stunnel to route connections over SSL.

The only RPMS for stunnel that I could find were for Rawhide Linux, so I
don’t hold any responsibility for faulty installations. :−) I would
definitely suggest either writing your own RPM for the 4.x line (and
publishing it) or just compiling it in as source. Very few if any
programs actually have it as a dependency, so you should be good to go
by just downloading the source.
DO NOT UNDER ANY CIRCUMSTANCES USE THE stunnel.pem THAT MIGHT COME WITH
stunnel! It is a standard SSL key that has been distributed all over
the Internet.
Other fault points I have discovered involve using MySQL with PHP.
When PHP code has to access the MySQL database, you need to supply a
username and password. These PHP scripts are usually world readable,
and therefore so is the username and password to access the database.
Special measures outside the scope of this document may be taken when
attempting to secure MySQL with PHP/Apache. Perhaps this can be
discussed in a different presentation, one concerned with securing
web−related applications.

Wednesday May 21, 2003 Securing_MySQL.txt 3/3