mysql and the user its runs under

Discuss Applications
Post Reply
User avatar
Basher52
guru
guru
Posts: 925
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

mysql and the user its runs under

Post by Basher52 » Mon Dec 11, 2006 5:10 am

i just saw that my daemon runs under root, and that aint good.

[root@FTP ~]# ps auxw|grep mysqld
root 9515 0.0 0.0 3940 608 pts/5 R+ 12:06 0:00 grep mysqld

i usually don't have mysqld autostart, i do that manually, well so far anyways.
so when i start it using: service mysqld start
it will run under root, can somehow i set it to run under another user and whats the best user for it?
'nobody' maybe?

(got the same problem with httpd too)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Dec 11, 2006 7:17 am

The initial daemons need to be run under root, especially in the case of Apache. The reason Apache specifically needs to start as root is because it has to bind to a low port (ports 1024 and less are low ports) which require root level authority. However, this isn't all that bad because any time a new connection request is made a child process is spawned and run under a user with less than root authority. So when you do a process list and grep for all of the Apache processes you should see one running under root and the rest running under another ID:

Code: Select all

$ ps -ef | grep httpd
root      2499     1  0 Dec08 ?        00:00:01 /usr/sbin/httpd
apache   24070  2499  0 Dec10 ?        00:02:50 /usr/sbin/httpd
apache   24071  2499  0 Dec10 ?        00:02:41 /usr/sbin/httpd
apache   24072  2499  0 Dec10 ?        00:02:59 /usr/sbin/httpd
apache   24073  2499  0 Dec10 ?        00:02:39 /usr/sbin/httpd
apache   24074  2499  0 Dec10 ?        00:02:47 /usr/sbin/httpd
apache   24075  2499  0 Dec10 ?        00:03:10 /usr/sbin/httpd
apache   24076  2499  0 Dec10 ?        00:02:40 /usr/sbin/httpd
apache   24077  2499  0 Dec10 ?        00:03:00 /usr/sbin/httpd
apache    4711  2499  0 Dec10 ?        00:02:38 /usr/sbin/httpd
apache    4760  2499  0 Dec10 ?        00:02:27 /usr/sbin/httpd
apache    4817  2499  0 Dec10 ?        00:02:40 /usr/sbin/httpd
apache    4898  2499  0 Dec10 ?        00:02:41 /usr/sbin/httpd
apache   11193  2499  0 Dec10 ?        00:02:17 /usr/sbin/httpd
apache   16298  2499  0 Dec10 ?        00:01:53 /usr/sbin/httpd
apache   25532  2499  0 Dec10 ?        00:01:33 /usr/sbin/httpd
apache   23906  2499  0 07:11 ?        00:00:00 /usr/sbin/httpd
apache   23907  2499  0 07:11 ?        00:00:01 /usr/sbin/httpd
apache   23909  2499  0 07:11 ?        00:00:00 /usr/sbin/httpd
apache   23910  2499  0 07:11 ?        00:00:00 /usr/sbin/httpd
apache   23911  2499  0 07:11 ?        00:00:00 /usr/sbin/httpd
voidmain 24135 23973  0 07:16 pts/0    00:00:00 grep httpd
Notice the parent process for all fo the children is the one running as root.

User avatar
Basher52
guru
guru
Posts: 925
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 » Tue Dec 12, 2006 1:12 am

oh, hehe :oops: I wasnt smart enough to do 'ps' when i had made a connection to it, lol
well i do see the same as you, it suns the new processes under 'apache', then i got a follow up question, to set maximum protection against hacking etc unless using .htaccess and other things, should/could i 'chown' all files and folder to the group/user 'apache'.
I have made this already in my testing and it works, but i havent found any data telling me that this is a good thing or not.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Dec 12, 2006 1:30 am

Basher52 wrote:i got a follow up question, to set maximum protection against hacking etc unless using .htaccess and other things, should/could i 'chown' all files and folder to the group/user 'apache'.
Absolutely not. That's the absolute worst thing you can do for security. The funny part about this is I have seen tutorials that tell you to do just that. I have to send the authors of such tutorials messages ripping them a new one when I see it.

Think about what happens if someone were to exploit a buffer overflow in your Apache daemon and gain a shell. Or even easier, exploit a vulnerability in one of your many PHP or any other CGI script. What UserID will this shell be running under? That's right, the user "apache". Now, if you are logged on as the user "apache" what files and directories can you write to and what files can't you write to? Obviously anything owned by the user "apache" is fair game and expect a defacing right off the bat, if you're lucky that is. So believe it or not it is *most* secure if the directories/files are owned by root and only have read permission wherever possible. Give the minimum amount of permissions that you possibly can.

To tell you the truth I usually set the ownership to my personal local user account (e.g. voidmain) on directories that I personally want to work. That way I can log on as user voidmain and make any changes necessary to files in my web directories and not have to switch user to root, AND the apache user doesn't have permission to write/change anything. That's probably the optimal way to do it.

So most directories are set owner:group voidmain:voidmain and rwxr-xr-x and most files are voidmain:voidmain rw-r--r--. In this case someone would have to either get access to my local "voidmain" account or "root" before anything could be changed. I really prefer to set my machines up so I don't have to become root for normal development/web type stuff.

User avatar
Basher52
guru
guru
Posts: 925
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 » Tue Dec 12, 2006 2:40 am

very informative post :) thanks for clearing this up.
when i "prod" this i will for certain chown the dirs/files to a "normal" user as you said :)

User avatar
Basher52
guru
guru
Posts: 925
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Re: mysql and the user its runs under

Post by Basher52 » Fri Nov 08, 2019 12:14 pm

OK, now 13 years later I'm here again, now with SELinux in Enforcing. I used to just turn SELinux off or make it permissive but now I'm convinced to use it and it makes my b*tt hurt a bit :lol:

I need to set a website up for my sis and using Wordpress for that.
I found a super YT-vid about SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4 and I set it as it should be and it seems to work.

Now the bad part of Wordpress is that it can't download updates through anything else than FTP/FTPS, I soooo wish they could add SFTP then it should work as it is but it won't so now I'm trying to set a vsftpd up and it seems that it can't see inside that var/www/html/masensts directory so my first guess is SELinux. I can't change the context to anything else than httpd and that is understandable. This might just be a missunderstanding of vsftpd and its settings so.... I can't be sure so I'm still trying to figure this out.

I also before had a big argument with some other Linux 'dudes' that just told me to set the owner to be Apache:Apache. But I first told them that I know a Linux dude that knows everything about Linux, namely 'Voidmain' (no name told to them tho) that I should NEVER EVER do that and they just asked me to contact you to tell you that you're wrong but I won't do it. Is this issue still the same? that I should never ever set the owner to Apache? For me it sure sounds like it as you described it before.

Questions to summon up:
1st, owner of web files, still never ever Apache? (I'm still not doing that until YOU(Voidmain) and no one else than you, tells me otherwise)
2nd, how does the web hosting services handle this with httpd-files and ftp into it? do they let httpd look inside the home dir of the user or the other way around? I want this to be as easy as possible on my test server but also as close to the hosting server that it will landing on later on.


I'm also gonna try all this again with permissive and see if it works and then later do the 'audit2allow' and see if the error really is in SELinux cos I'm starting to doubt it now....

Post Reply