On protecting MySQL from unwanted use of –skip_grant_tables
If a DBA needs to reset the mysql root password – one method of doing this is to run mysqld with -skip-grant-tables as a command line parameter. This is a bad practice for many reasons and as a DBA friend of mine says – it’s a lot like locking your door with the window open. If you are using mysql for especially secure data you should consider your options.
One option, and likely preferred, is to replace the default mysql from various sources with one built with this feature disabled – see http://dev.mysql.com/doc/refman/5.1/en/source-configuration-options.html#option_configure_disable-grant-options
I am not aware of any distro’s that are built with this option – but seems like a fair number of folks out there would appreciate having a build like this.
But some either still want to be able to somehow reset roots password, or don’t wish to compile mysql on their own, so the second option is to use Gazzang ezncrypt. Beyond the advantages of the Transparent Encryption which provides encryption for table data, config files, backup data and more, you can also use ezNcrypt to prevent use of –skip-grant-tables. This “closes the window” and will also let you still change the root password if needed. This is accomplished by transparently encrypting the mysqld executable, and adding a simple wrapper executable that will detect and remove the –skip-grant-tables. It can also optionally send a signal to mysqld to force loading the privileges.
If and when you need to change the root password for mysql, you can still do this – but you will need to have and use the proper RSA key and password or Passphrase and Salt, which is protected and only known to a select few in your administration.
Here’s the how-to for skip-grant-table protection
1. Encrypting mysqld process.
# ezncrypt -e @protected /usr/sbin/mysqld
2. Create and compile mysqld wrapper (called mysqld.secure) that calls mysqld process
g++ -o /usr/sbin/mysqld.secure mysqld.secure.cpp
Note: we wrote just a few lines of C++, but you could use a script or perl or php … etc. as the hashes and fingerprinting prevents alternation.
3. Add the following rules using ezncrypt-access-control
# - Type Category Path Process
1 EE ALLOW @mysql * /var/lib/ezncrypt/ezncrypted/protected/usr/sbin/mysqld
2 ALLOW @protected /usr/sbin/mysqld /usr/sbin/mysqld.secure
Note: if mysqld.secure is changed SHA-256 hashing and other fingerprinting detect that it is tainted and permissions will be denied.
4. Edit my.cnf
mysqld = /usr/sbin/mysqld.secure
And that’s it.
When you call:
# mysqld_safe start
# mysqld_multi start
This will call mysqld.secure with all arguments and mysqld.secure will remove any –skip-grant-table found, and it will call /usr/sbin/mysqld without it, and again mysqld can’t be started on its own with –skip-grant-table – unless you have the encryption key.