• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

How to protect DB file of mysql DB

I want to protect mysql DB

Because, any one have root access of OS can reset root password of mysqldb, and have fullright accesss to all DBs

Is there any way to protect this?

Thank you!
0
redstar01
Asked:
redstar01
  • 4
  • 4
5 Solutions
 
greenbug2002Commented:
not really if you have physical access to the box bottom line if your sufficiently skilled you can get the data on it best way is an independent VMware solution with you controlling the physical hardware and all the non-trusted users on there own VMware image then put the server in a physically secure place
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Normally, no. Root access of a *nix server is absolute; you shouldn't give root access to anyone you can't trust.

More modern *nix operating systems have a system of either ACL or FACLs that can give this effect, although with enough work the root user can get around it (and you must remember that the root user can *always* use su to assume the identity of another user without knowing their password) but to be honest its not much more than a speed bump.

what would really be needed is some sort of userspace encrypted file system that uses a redirection library to encrypt the data - now, mysql could probably support something like that (after all, the backend code is available) but it means compiling your own executables or finding something that substitutes for file read/write calls with its own code (and some way of supplying the password at startup)
0
 
FerrostiCommented:
Make sure root@localhost is not allowed to access mysql, especially without password.
This prevents root to read (select) data from your db. Though root would still be able to copy mysqls  data files somewhere and setup an own mysql server with respective permissions and read these files there.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Dave HoweSoftware and Hardware EngineerCommented:
Ferrosti: unfortunately, as the querient says, the root can just stop the service, restart it with auth disabled, and set up a superuser account of his choice on there.
0
 
FerrostiCommented:
@DaveHowe:
This is for sure. But this system seems quite important, so a stop, change, etc. would most likely be seen immediately.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
@Ferrosti: depends I guess. if you script it, and it would be over and done with in under three seconds (I just checked :)

one thing that does appear possible is if the files aren't local, but on a kerberos-secured NFS share - however, I suspect the performance hit there would be significant, and reboots (with logging back in to restart the session at the command line so you can supply the kinit credentials) would be a nightmare.
0
 
FerrostiCommented:
@DaveHowe
I think we are talking about the same when when you agree to: If 'root' aint trustworthy you d have a bunch more problems than your DB only.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Yup. you can do encrypted volumes to stop people bypassing the auth and booting from a cd or something, but if someone you don't trust has root on your box, you are toast.
0
 
FerrostiCommented:
Encrypted volumes would prevent root from rebooting (mount is needed after boot) as well as certain kinds of backup. I won´t go for that.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now