Mysql
Gašper Spagnolo
parent
fae286bc42
commit
6f94f240d2
|
|
@ -523,4 +523,98 @@ PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
|
|||
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
|
||||
```
|
||||
|
||||
### Sudoers
|
||||
|
||||
```bash
|
||||
root@ls-2024-9:/etc/sudoers.d# cat 90-cloud-init-users
|
||||
# Created by cloud-init v. 22.4.2-0ubuntu0~22.04.1 on Thu, 01 Feb 2024 14:23:09 +0000
|
||||
|
||||
# User rules for root
|
||||
root ALL=(ALL) NOPASSWD:ALL
|
||||
```
|
||||
|
||||
This rule allows us to run any command as root without password. For any user.
|
||||
|
||||
Lets comment it out.
|
||||
|
||||
```bash
|
||||
visudo -f /etc/sudoers.d/90-cloud-init-users
|
||||
```
|
||||
|
||||
### Mysql database
|
||||
|
||||
Pretty much safe, as the database is not exposed to the internet (visible in `nmap` scan).
|
||||
Only local.
|
||||
|
||||
```bash
|
||||
bind-address = 127.0.0.1
|
||||
mysqlx-bind-address = 127.0.0.1
|
||||
```
|
||||
|
||||
BUT.......
|
||||
|
||||
when we look at the `ps` output. We can notice:
|
||||
|
||||
```bash
|
||||
mysql 608 0.8 36.8 1324960 366156 ? Ssl 07:59 1:05 /usr/sbin/mysqld --skip-grant-tables
|
||||
```
|
||||
|
||||
- `--skip-grant-tables` This option causes the server to start without using the privilege system at all.
|
||||
This means that anyone can connect to the MySQL server without a password and with all privileges.
|
||||
|
||||
|
||||
```bash
|
||||
root@ls-2024-9:/etc/systemd/system# systemctl status mysql
|
||||
● mysql.service - MySQL Community Server
|
||||
Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
|
||||
Active: active (running) since Fri 2024-02-02 07:59:21 UTC; 2h 15min ago
|
||||
Process: 527 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
|
||||
Main PID: 608 (mysqld)
|
||||
Status: "Server is operational"
|
||||
Tasks: 38 (limit: 1116)
|
||||
Memory: 362.1M
|
||||
CPU: 1min 7.490s
|
||||
CGroup: /system.slice/mysql.service
|
||||
└─608 /usr/sbin/mysqld --skip-grant-tables
|
||||
|
||||
Feb 02 07:59:14 ls-2024-9 systemd[1]: Starting MySQL Community Server...
|
||||
Feb 02 07:59:21 ls-2024-9 systemd[1]: Started MySQL Community Server.
|
||||
root@ls-2024-9:/etc/systemd/system#
|
||||
```
|
||||
|
||||
By removing the `--skip-grant-tables` from the `mysql.service` file and restarting the service we can fix this issue.
|
||||
|
||||
```bash
|
||||
root@ls-2024-9:/etc/systemd/system# cat /lib/systemd/system/mysql.service
|
||||
# MySQL systemd service file
|
||||
|
||||
[Unit]
|
||||
Description=MySQL Community Server
|
||||
After=network.target
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
User=mysql
|
||||
Group=mysql
|
||||
PIDFile=/run/mysqld/mysqld.pid
|
||||
PermissionsStartOnly=true
|
||||
ExecStartPre=/usr/share/mysql/mysql-systemd-start pre
|
||||
ExecStart=/usr/sbin/mysqld --skip-grant-tables
|
||||
TimeoutSec=infinity
|
||||
Restart=on-failure
|
||||
RuntimeDirectory=mysqld
|
||||
RuntimeDirectoryMode=755
|
||||
LimitNOFILE=10000
|
||||
|
||||
# Set enviroment variable MYSQLD_PARENT_PID. This is required for restart.
|
||||
Environment=MYSQLD_PARENT_PID=1
|
||||
```
|
||||
|
||||
```bash
|
||||
root@ls-2024-9:/etc/systemd/system# systemctl daemon-reload
|
||||
root@ls-2024-9:/etc/systemd/system# systemctl restart mysql.service
|
||||
```
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue