FYI, minor improvement below to lock down a few edge cases (note, this is primarily for EXT{2,3,4} and other filesystems that support file attributes). You'll also need to remove the attribute manually before updating when patches become available. On 09/12/2016 12:33 PM, der.hans wrote: > Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so: > > moin moin, > >> Basically they mirror the repos. So when it hits debian I will upgrade. > > Ah, OK. > > You might also want to create a couple of empty files and lock them down. > > $datadir can be exploited, so pre-emptively putting empty conf files in > there that can't be changed by mysql is a good idea. > > The following is for anyone with questions on locking down the config > files in $datadir. > > Presuming $datadir is /var/lib/mysql either of the following will lock > down the files when run as root, but the first will destroy files you > might already have. > > # >/var/lib/mysq/my.cnf > # >/var/lib/mysq/.my.cnf > # chmod 000 /var/lib/mysq/{.,}my.cnf # chattr +i /var/lib/mysq/{.,}my.cnf > > Or, with some minimal verification that it's safe... > > # for file in /var/lib/mysq/{.,}my.cnf; do > if [ ! -e $file ] ; then > >$file > chmod 000 $file chattr +i $file > ls -l $file lsattr $file > else > ls -l $file lsattr $file > echo "You might want to check on that" > fi > done > > ciao, > > der.hans > >> Sent from my iPhone >> >>> On Sep 12, 2016, at 12:00 PM, der.hans wrote: >>> >>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so: >>> >>> moin moin, >>> >>>> Thanks have some SQL in DO droplets. Will be looking for this. >>> >>> Will DigitalOcean automagically apply the patches for you? >>> >>> I would expect it's in their best interest. >>> >>> I'm certain DreamHost is already upgraded. GoDaddy is probably rolling it >>> out already, but I no longer know anyone on the team over there, so am not >>> sure how quick they will be. >>> >>> This is admittedly one of the advantages of cloud. The infrastructure >>> providers can centrally test and roll out for everyone. The disadvantage >>> is if it's something that affects you, but they don't know or care about >>> it :). >>> >>> ciao, >>> >>> der.hans >>> >>>> Sent from my iPhone >>>> >>>>> On Sep 12, 2016, at 11:18 AM, der.hans wrote: >>>>> >>>>> moin moin, >>>>> >>>>> a MySQL remote exploit was announced this morning. Percona and MariaDB >>>>> already have fixes that have not yet hit the distros. >>>>> >>>>> https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662 >>>>> >>>>> http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html >>>>> >>>>> Watch for updates. >>>>> >>>>> ciao, >>>>> >>>>> der.hans >>>>> -- >>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/ >>>>> # Fairy Tale, n.: A horror story to prepare children for the newspapers. >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >>> -- >>> # http://www.LuftHans.com/ http://www.PhxLinux.org/ >>> # "You go to Afghanistan and you swallow enough dust that you'll pass an >>> # adobe brick." -- Robin Williams, 03Aug2006 >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss >