<div dir="ltr">Should I be consern even if my SQL server is only listening on localhost?<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair <span dir="ltr"><<a href="mailto:plug-discussion@stcaz.net" target="_blank">plug-discussion@stcaz.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">FYI, minor improvement below to lock down a few edge cases (note, this is primarily for EXT{2,3,4} and other filesystems that support file attributes).<br>
You'll also need to remove the attribute manually before updating when patches become available.<br>
<span class=""><br>
On 09/12/2016 12:33 PM, der.hans wrote:<br>
> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:<br>
><br>
> moin moin,<br>
><br>
</span><span class="">>> Basically they mirror the repos. So when it hits debian I will upgrade.<br>
><br>
> Ah, OK.<br>
><br>
> You might also want to create a couple of empty files and lock them down.<br>
><br>
> $datadir can be exploited, so pre-emptively putting empty conf files in<br>
> there that can't be changed by mysql is a good idea.<br>
><br>
> The following is for anyone with questions on locking down the config<br>
> files in $datadir.<br>
><br>
> Presuming $datadir is /var/lib/mysql either of the following will lock<br>
> down the files when run as root, but the first will destroy files you<br>
> might already have.<br>
><br>
> # >/var/lib/mysq/my.cnf<br>
> # >/var/lib/mysq/.my.cnf<br>
> # chmod 000 /var/lib/mysq/{.,}my.cnf<br>
</span># chattr +i /var/lib/mysq/{.,}my.cnf<br>
<span class="">><br>
> Or, with some minimal verification that it's safe...<br>
><br>
> # for file in /var/lib/mysq/{.,}my.cnf; do<br>
> if [ ! -e $file ] ; then<br>
> >$file<br>
> chmod 000 $file<br>
</span> chattr +i $file<br>
> ls -l $file<br>
lsattr $file<br>
> else<br>
> ls -l $file<br>
lsattr $file<br>
<div class="HOEnZb"><div class="h5">> echo "You might want to check on that"<br>
> fi<br>
> done<br>
><br>
> ciao,<br>
><br>
> der.hans<br>
><br>
>> Sent from my iPhone<br>
>><br>
>>> On Sep 12, 2016, at 12:00 PM, der.hans <PLUGd@LuftHans.com> wrote:<br>
>>><br>
>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:<br>
>>><br>
>>> moin moin,<br>
>>><br>
>>>> Thanks have some SQL in DO droplets. Will be looking for this.<br>
>>><br>
>>> Will DigitalOcean automagically apply the patches for you?<br>
>>><br>
>>> I would expect it's in their best interest.<br>
>>><br>
>>> I'm certain DreamHost is already upgraded. GoDaddy is probably rolling it<br>
>>> out already, but I no longer know anyone on the team over there, so am not<br>
>>> sure how quick they will be.<br>
>>><br>
>>> This is admittedly one of the advantages of cloud. The infrastructure<br>
>>> providers can centrally test and roll out for everyone. The disadvantage<br>
>>> is if it's something that affects you, but they don't know or care about<br>
>>> it :).<br>
>>><br>
>>> ciao,<br>
>>><br>
>>> der.hans<br>
>>><br>
>>>> Sent from my iPhone<br>
>>>><br>
>>>>> On Sep 12, 2016, at 11:18 AM, der.hans <PLUGd@LuftHans.com> wrote:<br>
>>>>><br>
>>>>> moin moin,<br>
>>>>><br>
>>>>> a MySQL remote exploit was announced this morning. Percona and MariaDB<br>
>>>>> already have fixes that have not yet hit the distros.<br>
>>>>><br>
>>>>> <a href="https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662" rel="noreferrer" target="_blank">https://www.percona.com/blog/<wbr>2016/09/12/percona-server-<wbr>critical-update-cve-2016-6662</a><br>
>>>>><br>
>>>>> <a href="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html" rel="noreferrer" target="_blank">http://legalhackers.com/<wbr>advisories/MySQL-Exploit-<wbr>Remote-Root-Code-Execution-<wbr>Privesc-CVE-2016-6662.html</a><br>
>>>>><br>
>>>>> Watch for updates.<br>
>>>>><br>
>>>>> ciao,<br>
>>>>><br>
>>>>> der.hans<br>
>>>>> --<br>
>>>>> # <a href="http://www.LuftHans.com/" rel="noreferrer" target="_blank">http://www.LuftHans.com/</a> <a href="http://www.PhxLinux.org/" rel="noreferrer" target="_blank">http://www.PhxLinux.org/</a><br>
>>>>> # Fairy Tale, n.: A horror story to prepare children for the newspapers.<br>
>>>>> ------------------------------<wbr>---------------------<br>
>>>>> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
>>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>>> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br>
>>>> ------------------------------<wbr>---------------------<br>
>>>> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
>>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>>> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br>
>>><br>
>>> --<br>
>>> # <a href="http://www.LuftHans.com/" rel="noreferrer" target="_blank">http://www.LuftHans.com/</a> <a href="http://www.PhxLinux.org/" rel="noreferrer" target="_blank">http://www.PhxLinux.org/</a><br>
>>> # "You go to Afghanistan and you swallow enough dust that you'll pass an<br>
>>> # adobe brick." -- Robin Williams, 03Aug2006<br>
>>> ------------------------------<wbr>---------------------<br>
>>> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br>
>> ------------------------------<wbr>---------------------<br>
>> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
>> To subscribe, unsubscribe, or to change your mail settings:<br>
>> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br>
><br>
><br>
><br>
> ------------------------------<wbr>---------------------<br>
> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
> To subscribe, unsubscribe, or to change your mail settings:<br>
> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br>
><br>
<br>
</div></div><br>------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br></blockquote></div><br></div>