[nycphp-talk] MySQL slow query log/general mysql log
Matt Juszczak
matt at atopia.net
Tue Sep 7 14:36:08 EDT 2010
But that permission won't hold if/when MySQL rotates/re-creates the file,
right? But I guess for this file, MySQL itself won't ever rotate it
unlike the binlogs.
On Tue, 7 Sep 2010, Anthony Wlodarski wrote:
> Then 755 should be appropriate.
>
> -----Original Message-----
> From: "Matt Juszczak" <matt at atopia.net>
> Sent: Tuesday, September 7, 2010 2:29pm
> To: "NYPHP Talk" <talk at lists.nyphp.org>
> Subject: Re: [nycphp-talk] MySQL slow query log/general mysql log
>
> Our setups are puppetized. There is a standard directory for MySQL log
> information. As we don't want to allow sudo for users just to see the
> file, I'd rather make it globally readable. Adding users to a group would
> be less trivial, as most of our user groups are managed by LDAP, while the
> mysql group is an actual systems group in /etc/group, which I don't want
> to manage manually.
>
> So really, the group option is out - the only options I see are setting
> global read on the file, or adding the users that need to access it to
> sudo.
>
> I'm not too worried about the file being accessed by other means - the
> server is a dedicated MySQL box.
>
> Thanks,
>
> Matt
>
> On Tue, 7 Sep 2010, Anthony Wlodarski wrote:
>
> > I don't know what type of OS this is on Nix/Windows/Other but when MySQL creates a default slow queries log file for
> > Ubuntu it places this in /var/log/mysql which is not accessible to anyone other than super user. By default this file
> is
> > 640 so that owners and groups may access it. For example on Ubuntu if you part of the "adm" group you can read the
> > file. I would steer away from global reading permissions on that log.
> >
> > Going into the background on this why do you want to enable all users to read the file? If so I would recommend
> creating
> > a group and adding users to the group for viewing permissions. The logs information could be used against you
> negatively
> > if an attacker stumbles upon your file (somehow made available through your webserver) and knows how your database
> reads
> > and writes the information passed to it.
> >
> > Internally no daemons such as the MySQL Daemon will bark about permissions to the file as they have access to the log
> by
> > default.
> >
> > -----Original Message-----
> > From: "Matt Juszczak" <matt at atopia.net>
> > Sent: Tuesday, September 7, 2010 2:09pm
> > To: talk at lists.nyphp.org
> > Subject: [nycphp-talk] MySQL slow query log/general mysql log
> >
> > Hi folks,
> >
> > Has anyone ever seen any negative effects of changing the permissions of
> > the MySQL slow query log (not changing umask or anything like that) once
> > MySQL has created the file? I'd like to make it 755 to allow for global
> > read only access.
> >
> > -Matt
> > _______________________________________________
> > New York PHP Users Group Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > http://www.nyphp.org/Show-Participation
> >
> >
> >
> > Anthony Wlodarski
> > Lead Software Engineer
> > Dating 2.0
> > 646 285 0500 x217
> > anthony at dating2p0.com
> >
> >_______________________________________________
> New York PHP Users Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/Show-Participation
>
>
> Anthony Wlodarski
> Lead Software Engineer
> Dating 2.0
> 646 285 0500 x217
> anthony at dating2p0.com
>
>
More information about the talk
mailing list