Monday, November 21, 2005

Minimuim Priviledges: mysqlhotcopy

I'm setting up a MySql server to run the database from a ramdrive (tmpfs). In order to protect the data, the system has to replicate the database in memory to the drive. The utility, mysqlhotcopy, can be used for this by adding it to a crontab. In my configuration, I'll copy the database to disk every 20 minutes. As my database is primarily read-only, if there were a crash, at worse I'd loose only a few updates.

The problem is that mysqlhotcopy requires a username and password, which must be issued on the command line. Since the command is stored in a crontab, the authentication information is stored in the clear. If someone were to comprimise the machine, I don't want to give them a free ride to the database.

The solution is to create a dummy account with minimuim priviledges. For my dummy account I set all priv's to 'N' except:

This allows mysqlhotcopy to replicate the data to disk, but limits an intruder to switching the database to read only.

No comments:

Post a Comment