[debian-mysql] Setting secure-file-priv in my.cnf
Norvald Ryeng
norvald.ryeng at oracle.com
Wed Mar 12 16:17:45 UTC 2014
Hi,
As I mentioned in the vUDS session, we're looking at security hardening
the default MySQL installation, and one thing that came up was the
secure-file-priv option, see
https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-file-priv
and
https://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_file.
LOAD DATA, LOAD FILE() and SELECT ... INTO OUTFILE will cause the server
to import or export data. Since the server runs as mysql:mysql, it can
read from and write to /var/lib/mysql, which is not a good idea.
Therefore, I suggest we set secure-file-priv in my.cnf. The question is
where to put the directory. A directory inside /var/lib/mysql will be
interpreted as a new database, so that won't work.
One suggestion is /var/spool/mysql. Import and export data is not
exactly spool data, but it fits the description in the FHS: "/var/spool
contains data which is awaiting some kind of later processing. Data in
/var/spool represents work to be done in the future (by a program, user,
or administrator); often data is deleted after it has been processed."
Another option is /var/lib/mysql-import-export (or some other directory
in /var/lib), but, strictly speaking, the import/export data is not
really state information either.
What do you think? Is one better than the other? Other suggestions?
We'll have to ask for an SELinux policy change for this, so I want to
make sure we pick the right place for this directory from the start.
Regards,
Norvald H. Ryeng
More information about the pkg-mysql-maint
mailing list