Tuesday, January 13, 2009

Instalarea si securizarea MySQL in FreeBSD

Articolul dat descrie instalarea securizata a unui serverul MySQL pe un sistem ruland FreeBSD.

Securitatea MySQL va fi sporita prin:


- mysql serverul va rula intr-un mediu chroot
- mysql serverul va rula cu drepturile unui utilizator unic, neprivilegiat
- accesul la mysql il vor avea doar aplicatiile locale
- se va bloca accesul anonim la baza da date precum si se vor sterge bazele de date la care ar putea avea acces
orice utilizator .

Instalarea MySQL se va face din colectia de porturi:


[root@host]# cd /usr/ports/databases/mysql40-server
[root@host]# make WITHOUT_INNODB=yes WITH_LINUXTHREADS=yes BUILD_STATIC=yes BUILD_OPTIMIZED=yes install
clean


Dupa instalarea cu succes a MySQL cream mediul chroot :


[root@host]# mkdir -p /chroot/mysql/dev
[root@host]# mkdir -p /chroot/mysql/etc
[root@host]# mkdir -p /chroot/mysql/tmp
[root@host]# mkdir -p /chroot/mysql/var/db
[root@host]# mkdir -p /chroot/mysql/usr/local/libexec
[root@host]# mkdir -p /chroot/mysql/usr/local/bin
[root@host]# mkdir -p /chroot/mysql/usr/local/share/mysql/english


Pe un sistem FreeBSD 4.x va fi nevoie sa cream manual device-ul /dev/null in chroot

[root@host]# mknod /chroot/mysql/dev/null c 2 2
[root@host]# chmod 666 /chroot/mysql/dev/null

Pe un sistem FreeBSD 5.x nu avem nevoie sa-l cream manual , datorita prezentei devfs.
Mountam devfs in /chroot/mysql/dev

[root@host]# /sbin/mount_devfs devfs /chroot/mysql/dev
si adaugam in /etc/fstab urmatoarea linie:

devfs /chroot/mysql/dev devfs rw 0 0

Din motive de securitate o sa pastram numai null in /chroot/mysql/dev :


[root@host]# /sbin/devfs -m /chroot/mysql/dev rule apply hide
[root@host]# /sbin/devfs -m /chroot/mysql/dev rule apply path null unhide

Adaugati aceste 2 linii in /etc/rc.local.

In continuare setam permisiile corecte:


[root@host]# chown -R root /chroot/mysql
[root@host]# chmod -R 755 /chroot/mysql
[root@host]# chmod 1777 /chroot/mysql/tmp

Copiem fisierele de sistem necesare rularii corecte a serviciului MySQL:


[root@host]# cp /etc/hosts /chroot/mysql/etc/
[root@host]# cp /etc/host.conf /chroot/mysql/etc/
[root@host]# cp /etc/resolv.conf /chroot/mysql/etc/
[root@host]# cp /etc/localtime /chroot/mysql/etc/

Copiem fisierele ce tin de MySQL in mediul chroot:


[root@host]# cp /usr/local/share/mysql/my-large.cnf /chroot/mysql/etc/my.cnf
(inclocuiti my-large.cnf cu fisierul ce va va satisface mai bine necesitatile/posibilitatile)


[root@host]# cp /usr/local/libexec/mysqld /chroot/mysql/usr/local/libexec/
[root@host]# cp /usr/local/share/mysql/english/errmsg.sys /chroot/mysql/usr/local/share/mysql/english/
[root@host]# cp -Rp /var/db/mysql /chroot/mysql/var/db

Vom avea nevoie de chrootuid(8) pentru a continua.
Chrootuid este o combinatie intre chroot(8) si su(1) necesar pentru a rula cu privilegii scazute o
aplicatie intr-un mediu restrictionat.

Il instalam , daca inca nu este prezent in sistem:
[root@host]# cd /usr/ports/security/chrootuid && make install clean


Verificam corectitudinea instalarii ruland:
[root@host]# chrootuid /chroot/mysql mysql /usr/local/libexec/mysqld &

Adaugam in ~/.my.cnf :
socket = /chroot/mysql/tmp/mysql.sock

pentru a folosi socket-ul corect la conectare .

Dupa cream fisierul /usr/local/etc/rc.d/mysql.sh cu urmatorul continut :



#!/bin/sh
CHROOT_MYSQL=/chroot/mysql
SOCKET=/tmp/mysql.sock
MYSQLD=/usr/local/libexec/mysqld
PIDFILE=/var/db/mysql/`hostname`.pid
CHROOTUID=/usr/local/sbin/chrootuid
echo -n " mysql"
case "$1" in
start)
nohup ${CHROOTUID} ${CHROOT_MYSQL} mysql ${MYSQLD} --defaults-extra-file=/var/db/mysql/my.cnf --user=mysql --datadir=/var/db/mysql --skip-networking --skip-name-resolve --pid-file=${PIDFILE} >/dev/null 2>&1 &
;;
stop)
kill `cat ${CHROOT_MYSQL}/${PIDFILE}`
;;
*)
echo ""
echo "Usage: `basename $0` {start|stop}" >&2
exit 0
;;
esac
exit 0


si stergem fisierul /usr/local/etc/rc.d/mysql-server.sh .

Dupa start-ul MySQL , setam o parola pentru utilizatorul root:


mysql> SET PASSWORD FOR root=PASSWORD('VhYH00F3yU');
Query OK, 0 rows affected (0.00 sec)

Apoi stergem tabela test precum si orice alt user diferit de root :


mysql> drop database test;
Query OK, 0 rows affected (0.00 sec)

mysql> delete from mysql.user where not (host="localhost" and user="root");
Query OK, 3 rows affected (0.00 sec)

Pentru a preveni posibilitatea utilizatorilor de a accesa date neautorizate prin intermediul comenzii
"LOAD DATA LOCAL INFILE" adaugam in fisierul /chroot/mysql/etc/my.cnf , sectiunea [mysqld]
linia:


set-variable=local-infile=0

Aceste metode nu va dau siguranta completa ca serverul MySQL nu este o bresa in securitatea sistemului , dar cel putin fac perturbarea securitatii mult mai dificila

-------------------------------------------------------------------------------------
|Cateva comenzi pentru lucrul cu DB MySQL:
-------------------------------------------------------------------------------------
| SHOW DATABASES; - lista bazelor de date existente
| SHOW TABLES [FROM database]; - lista tabelelor dintr-o baza de date
| SHOW GRANTS FOR user [FROM database]; - privilegiile unui utilizator pentru DB
| SHOW VARIABLES; - valorile tuturor variabilelor
| SHOW [FULL] PROCESSLIST; - statistica proceselor mysqld
| SHOW STATUS; - toata statistica disponibila
-------------------------------------------------------------------------------------
| ...
| Schimbarea parolei access MySQL
| UPDATE mysql.user set password=PASSWORD('parola') where user='user';
-------------------------------------------------------------------------------------

No comments:

Post a Comment