- renamed 'mysql_hardening_mysql_conf' var to 'mysql_hardening_mysql_… #22
Conversation
agno01
commented
Oct 14, 2016
agno01
commented
- renamed 'mysql_hardening_mysql_conf' var to 'mysql_hardening_mysql_conf_file'
- introduced 'mysql_hardening_mysql_conf_dir' variable
- set default value of 'mysql_hardening_mysql_conf_dir' variable for RedHat, OracleLinux, Debian
- changed default hardcoded full path in 'mysql_hardening_hardening_conf' var to be based on 'mysql_hardening_mysql_conf_dir' var
…conf_file' - introduced 'mysql_hardening_mysql_conf_dir' variable - set default value of 'mysql_hardening_mysql_conf_dir' variable for RedHat, OracleLinux, Debian - changed default hardcoded full path in 'mysql_hardening_hardening_conf' var to be based on 'mysql_hardening_mysql_conf_dir' var
|
Thanks for that, I'm going to take a look. Since this would be a breaking change, I'd like to hold on to this PR when he some more features. |
…o list files and apply custom configuration, otherwise it doesn't apply it
| @@ -1,16 +1,16 @@ | |||
| --- | |||
|
|
|||
| - name: protect my.cnf | |||
| file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root follow=yes | |||
| file: path='{{mysql_hardening_mysql_conf_file}}' mode=0600 owner=root group=root follow=yes | |||
There was a problem hiding this comment.
About second commit in this PR: On untouched installations of MariaDB/MySQL the permissions of /etc/my.cnf include read for others, that's why mysql process can read config files. However, when we restrict it to 0600 root:root, mysql process can't read it. This should be fixed, but what would be the best way? 0460 mysql:root, 0640 root:mysql or even 0400 mysql:root would do, since root can read it in any case.
There was a problem hiding this comment.
Does the mysql unpriviliged process has to be able to read the config files? MySQL itself is started as root and then creates a child process running as user mysql.
| @@ -1,2 +1,3 @@ | |||
| mysql_daemon: mysql | |||
| mysql_hardening_mysql_conf: '/etc/mysql/my.cnf' | |||
| mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' | |||
| mysql_hardening_mysql_conf_dir: '/etc/mysql/conf.d' | |||
There was a problem hiding this comment.
Shouldn't this be mysql_hardening_mysql_confd_dir (with a d after conf) since its the conf.d directory?
/etc/mysql/ is the mysql_hardening_mysql_conf_dir.
| @@ -5,7 +5,7 @@ mysql_hardening_enabled: yes | |||
| mysql_hardening_user: 'mysql' | |||
| mysql_hardening_group: 'root' | |||
| mysql_datadir: '/var/lib/mysql' | |||
| mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' | |||
| mysql_hardening_hardening_conf: '{{mysql_hardening_mysql_conf_dir}}/hardening.cnf' | |||
There was a problem hiding this comment.
To be consistent, this variable should be named mysql_hardening_mysql_hardening_conf_file.
| @@ -1,16 +1,16 @@ | |||
| --- | |||
|
|
|||
| - name: protect my.cnf | |||
| file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root follow=yes | |||
| file: path='{{mysql_hardening_mysql_conf_file}}' mode=0600 owner=root group=root follow=yes | |||
There was a problem hiding this comment.
Does the mysql unpriviliged process has to be able to read the config files? MySQL itself is started as root and then creates a child process running as user mysql.
|
AFAIK default /etc/mysql/my.cnf contains [client] section, therefore it should be readable by users (for mysql cli usage etc). But having 400 mysqld should work just fine (i think ignoring all unreadable for user files) |
…p values to use vars instead
|
Changes made in 6fa5784. Please review. |
|
Thanks @agno01, I'll try to take a look this week. |
|
Thanks @agno01 for the improvement! |
