Solved

How to protect DB file of mysql DB

Posted on 2011-03-23
9
358 Views
Last Modified: 2012-05-11
I want to protect mysql DB

Because, any one have root access of OS can reset root password of mysqldb, and have fullright accesss to all DBs

Is there any way to protect this?

Thank you!
0
Comment
Question by:redstar01
  • 4
  • 4
9 Comments
 
LVL 1

Accepted Solution

by:
greenbug2002 earned 100 total points
ID: 35197025
not really if you have physical access to the box bottom line if your sufficiently skilled you can get the data on it best way is an independent VMware solution with you controlling the physical hardware and all the non-trusted users on there own VMware image then put the server in a physically secure place
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 35197479
Normally, no. Root access of a *nix server is absolute; you shouldn't give root access to anyone you can't trust.

More modern *nix operating systems have a system of either ACL or FACLs that can give this effect, although with enough work the root user can get around it (and you must remember that the root user can *always* use su to assume the identity of another user without knowing their password) but to be honest its not much more than a speed bump.

what would really be needed is some sort of userspace encrypted file system that uses a redirection library to encrypt the data - now, mysql could probably support something like that (after all, the backend code is available) but it means compiling your own executables or finding something that substitutes for file read/write calls with its own code (and some way of supplying the password at startup)
0
 
LVL 6

Assisted Solution

by:Ferrosti
Ferrosti earned 200 total points
ID: 35199195
Make sure root@localhost is not allowed to access mysql, especially without password.
This prevents root to read (select) data from your db. Though root would still be able to copy mysqls  data files somewhere and setup an own mysql server with respective permissions and read these files there.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 35199708
Ferrosti: unfortunately, as the querient says, the root can just stop the service, restart it with auth disabled, and set up a superuser account of his choice on there.
0
 
LVL 6

Assisted Solution

by:Ferrosti
Ferrosti earned 200 total points
ID: 35200125
@DaveHowe:
This is for sure. But this system seems quite important, so a stop, change, etc. would most likely be seen immediately.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35200600
@Ferrosti: depends I guess. if you script it, and it would be over and done with in under three seconds (I just checked :)

one thing that does appear possible is if the files aren't local, but on a kerberos-secured NFS share - however, I suspect the performance hit there would be significant, and reboots (with logging back in to restart the session at the command line so you can supply the kinit credentials) would be a nightmare.
0
 
LVL 6

Expert Comment

by:Ferrosti
ID: 35200630
@DaveHowe
I think we are talking about the same when when you agree to: If 'root' aint trustworthy you d have a bunch more problems than your DB only.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35202338
Yup. you can do encrypted volumes to stop people bypassing the auth and booting from a cd or something, but if someone you don't trust has root on your box, you are toast.
0
 
LVL 6

Expert Comment

by:Ferrosti
ID: 35207720
Encrypted volumes would prevent root from rebooting (mount is needed after boot) as well as certain kinds of backup. I won´t go for that.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

More Fun with XML and MySQL – Parsing Delimited String with a Single SQL Statement Are you ready for another of my SQL tidbits?  Hopefully so, as in this adventure, I will be covering a topic that comes up a lot which is parsing a comma (or other…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now