[Fedora-packaging] Setting secure-file-priv in my.cnf
Honza Horak
hhorak at redhat.com
Mon Feb 24 11:52:25 UTC 2014
Hi Norvald,
generally, I like the idea about using secure-file-priv, but I don't
like /var/spool very much, since even if FHS describes this one quite
generally, it is not used that way in practice. I also don't think we
have to use something different than /var/lib, just a new directory
other than /var/lib/mysql could be used; something like
/var/lib/mysql-common maybe? -- that directory would also be covered by
the current SELinux context definition /var/lib/mysql(/.*), so daemon
would be able to access that directory without adjusting the SELinux
context rules.
Since this is mostly a packaging issue, I'm cc'ing also Fedora's
packaging list to see if someone else has some better idea.
Regards,
Honza
On 02/18/2014 10:31 AM, Norvald H. Ryeng wrote:
> Hi Honza,
>
> We're looking at security hardening the default installation, and one
> thing that came up was the secure-file-priv option, see
> https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-file-priv
> and
> https://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#priv_file.
>
> LOAD DATA, LOAD FILE() and SELECT ... INTO OUTFILE will cause the server
> to import or export data. Since the server runs as mysql:mysql, it can
> read from and write to /var/lib/mysql, which is not a good idea.
> Therefore, I suggest we set secure-file-priv in my.cnf. The question is
> where to put the directory. A directory inside /var/lib/mysql will be
> interpreted as a new database, so that won't work.
>
> One suggestion is /var/spool/mysql. Import and export data is not
> exactly spool data, but it fits the description in the FHS: "/var/spool
> contains data which is awaiting some kind of later processing. Data in
> /var/spool represents work to be done in the future (by a program, user,
> or administrator); often data is deleted after it has been processed."
>
> What do you think?
>
> We'll have to ask for an SELinux policy change for this, so I want to
> make sure we pick the right place for this directory from the start.
>
> Regards,
>
> Norvald H. Ryeng
More information about the packaging
mailing list