Page 1 of 1

Debian Etch and MySQL users

Posted: Tue May 22, 2007 8:39 pm
by alex.barylski
I've installed MySQL on ETCH - easy.

I'm looking at securing the RDBMS now and I started with looking at the users table to see who and what has access.

I have 5 accounts:

Code: Select all

localhost              root    
web1.mycompany.com     root  
localhost              debian-sys-maint
%                      mycompany
123.456.789.101        mycompany
The last two I added, while experimenting with giving MySQL remote connection access - I use a MySQL client Windows app to modify my tables, etc (phpMyAdmin sucks :P )

The '%' I believe was my first attempt and is likely a security hole, so it's gonna get dropped ASAP - although it has no privs at all :S

The second IP based (user: mycompany) has a password and full privileges, I remember creating this account.

I've Googled for debian-sys-maint and it appears it's created by Debian to basically start the daemon inside init.d, etc. It has password and full privs. web1.mycompany.com is the name of my server and I believe is the same damn thing as localhost - so why in the heck would it exist?

Ideally I wanted only two.

1) root@localhost
2) root@123.456.789.101

And I'm guessing now I need debian-sys-maint

I'm working on a shell script to disable/enable remote access on an 'as needed' basis (remote connections are always bad).

Anyone have any insight into how and why the debian-sys-maint account exists? Can I not just use the default root for localhost, seeing as they both seem to share the same privs and are password protected afterall. What is the benefit to having one used for starting the daemon and the other for carrying out activities?

I will also have custom accounts for each web site I host but with restricted privs (basically CRUD and thats it).

Anyways, if someone would care to elaborate on these questions for me and share some security insight, that owuld be awesome. :)

Re: Debian Etch and MySQL users

Posted: Tue May 22, 2007 9:46 pm
by redmonkey
Hockey wrote:web1.mycompany.com is the name of my server and I believe is the same damn thing as localhost - so why in the heck would it exist?
Because it's the name of your server. By having both localhost and web1.mycompany.com it covers all bases.

Hockey wrote:Anyone have any insight into how and why the debian-sys-maint account exists? Can I not just use the default root for localhost, seeing as they both seem to share the same privs and are password protected afterall. What is the benefit to having one used for starting the daemon and the other for carrying out activities?
The 'debian-sys-maint' is used to shutdown mysqld using mysqladmin rather than just killing it.

'debian-sys-maint' is also used for rotating MySQL's binary logs and I've noticed that many of Debian's other packages that require MySQL databases created are now using the 'debian-sys-maint' super user account instead of the actual MySQL root user account.

Technically you don't need it but it's part of the Debian installer package you have used, and personally, I recommend whenever you install via a package manager the only modifications that should be done to that package are ones which can be done via the package manager. Manually changing things will almost always come back to bite you later on down the line and if you're not an experienced user this will give you numerous headaches.

Posted: Tue May 22, 2007 10:37 pm
by alex.barylski
Because it's the name of your server. By having both localhost and web1.mycompany.com it covers all bases.
I figured that, but why? Under what circumstance would I ever need to connect to a database using web1.mycompany.com

Almost every PHP script or application I have ever worked on used localhost as it's the generic catch-all.

Cheers :)