Database server run as its own user
Posted: 10. July 2011 22:21
Hi,
I know Java well but don't know much about how computers actually work. I've been making my way through "PHP and MySQL Web Development For Dummies".
I'm currently in the chapter about security. The book emphasizes not to "run services such as a Web server, database server, or mail server as root."
Also, the book says:
"You shouldn't run all your services as the same user for the same basic reason that you don't want to run everything as root: When everything runs as the same user, if one service is compromised, they're all exposed...To minimize the damage a cracker can do, the database server should run as its own user, in its own group. For instance,many MySQL servers run as the user mysql in the group mysql. What you call the user and group isn't important. What matters is that this user is isolated from the other operations happening on the server."
EDIT: Just after that bit, the book goes on to say
"The preceding section covers running the database AS ITS OWN USER [my emphasis]. In this section, we switch gears a bit and talk about actual database users -- the users created within the database with privileges to administer...."
But I already know about database users. But what about "running the database as its own user"?
I don't fully understand this, and the book doesn't really elaborate any further. Do they mean user accounts as in desktops on windows? Should I have my MySQL database one one 'desktop', Apache on another, and the php scripts on a third?...
Anything you could tell me would be useful.
Thanks
I know Java well but don't know much about how computers actually work. I've been making my way through "PHP and MySQL Web Development For Dummies".
I'm currently in the chapter about security. The book emphasizes not to "run services such as a Web server, database server, or mail server as root."
Also, the book says:
"You shouldn't run all your services as the same user for the same basic reason that you don't want to run everything as root: When everything runs as the same user, if one service is compromised, they're all exposed...To minimize the damage a cracker can do, the database server should run as its own user, in its own group. For instance,many MySQL servers run as the user mysql in the group mysql. What you call the user and group isn't important. What matters is that this user is isolated from the other operations happening on the server."
EDIT: Just after that bit, the book goes on to say
"The preceding section covers running the database AS ITS OWN USER [my emphasis]. In this section, we switch gears a bit and talk about actual database users -- the users created within the database with privileges to administer...."
But I already know about database users. But what about "running the database as its own user"?
I don't fully understand this, and the book doesn't really elaborate any further. Do they mean user accounts as in desktops on windows? Should I have my MySQL database one one 'desktop', Apache on another, and the php scripts on a third?...
Anything you could tell me would be useful.
Thanks