Security-Related Mysqld Options And Variables - Oracle 5.0 Reference Manual

[577]-privilege operations a bit safer, files generated with
FILE
not overwrite existing files and are writable by everyone.
The
FILE
the Unix user that the server runs as. With this privilege, you can read any file into a database table.
This could be abused, for example, by using
then can be displayed with SELECT.
To limit the location in which files can be read and written, set the
to a specific directory. See
• Do not grant the
The output of
statements currently being executed, so any user who is permitted to see the server process
list might be able to see statements issued by other users such as
password=PASSWORD('not_secure').
reserves an extra connection for users who have the
mysqld
MySQL
root
The
SUPER
changing the value of system variables, and control replication servers.
• Do not permit the use of symlinks to tables. (This capability can be disabled with the
symbolic-links
anyone that has write access to the server's data directory then could delete any file in the system!
See Section 8.9.6.2, "Using Symbolic Links for
• Stored programs and views should be written using the security guidelines discussed in
Section 18.5, "Access Control for Stored Programs and
• If you do not trust your DNS, you should use IP addresses rather than host names in the grant
tables. In any case, you should be very careful about creating grant table entries using host name
values that contain wildcards.
• If you want to restrict the number of connections permitted to a single account, you can do so
by setting the
supports resource control options for limiting the extent of server use permitted to an account. See
Section 13.7.1.3,
• If the plugin directory is writable by the server, it may be possible for a user to write executable code
to a file in the directory using
plugin_dir
where
SELECT
6.1.4. Security-Related
The following table shows
of each of these, see
Variables".
Table 6.1. Security Option/Variable Summary
Name
allow-suspicious-
udfs [400]
automatic_sp_privileges [437]
chroot [403]
des-key-file [407]
Security-Related
[577] privilege may also be used to read any file that is world-readable or accessible to
Section 5.1.4, "Server System
[577] or
PROCESS
mysqladmin processlist
user can log in and check server activity even if all normal connections are in use.
[578] privilege can be used to terminate client connections, change server operation by
[421] option.) This is especially important if you run
max_user_connections
"GRANT Syntax".
SELECT ... INTO
[481] read only to the server or by setting
writes can be made safely.
mysqld
mysqld
Section 5.1.3, "Server Command
Cmd-Line Option file
Yes Yes
Yes Yes
Yes Yes
Options and Variables
mysqld
LOAD DATA
[578] privilege to nonadministrative users.
SUPER
and
SHOW PROCESSLIST
MyISAM
[472] variable in mysqld. The
DUMPFILE. This can be prevented by making
Options and Variables
options and system variables that affect security. For descriptions
Options", and
System Var Status Var
Yes
570
SELECT ... INTO OUTFILE
to load
/etc/passwd
secure_file_priv
Variables".
shows the text of any
UPDATE user SET
[578] privilege, so that a
SUPER
mysqld
Tables on Unix".
Views".
GRANT
--secure-file-priv
Section 5.1.4, "Server System
Var Scope
Global
do
into a table, which
[490] system
--skip-
as root, because
statement also
[419] to a directory
Dynamic
Yes