LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-10-2012, 02:57 PM   #1
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Rep: Reputation: Disabled
Will Apparmor protect my MySQL database if my Apache web server is compromised?


Hi,

I was wondering if I create two Apparmor profiles, for mysql and apache, is there a way I can enable Apache to access my database without an attacker being able to steal my database if he takes control of Apache?

Thanks in advance.
 
Old 10-11-2012, 08:41 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Apparmor, like SELinux is a form of mandatory access control that applies rules and roles to applications. With Apparmor you can specify which processes and applications can have access to certain directories, files, and other applications. In the context of your question, you want to know if you can deny the Apache (user) access to MySQL. The short answer is that yes, you could. In fact you can deny SQL access at several layers, including basic database access permissions. The problem you face is that if you deny access to the database, you can't use it as a back end for your web pages. There is no easy way to distinguish between intruder access via Apache and normal Apache access. This importance of this point bears repeating. You state that you are concerned about your database being "stolen", but presumably you want to make it's contents publicly available via your website? One other thing to consider is that if an intruder gains shell access to your system, they will be able to read files owned by 'others', including PHP files that contain the authentication credentials to your database.

What is more important, as well as more practical, is to have safeguards in place to prevent destruction and modification of your database should Apache, or any other process, become compromised by an intruder. As with most things security related, you will want to do this on multiple layers. Start with prepared statements in your code, working with sanitized data. Only allow read (select) access on your database. Enforce read only access with Aparmor and use strong passwords on both your root account and your root level SQL user. Last, but definitely not least, keep periodic backups of your critical database information.
 
Old 10-11-2012, 08:02 PM   #3
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Hi,

Thanks for your response. Yes, my website needs to constantly access the database. Since there is a "sign up" page on my website, I will need to grant the SQL user with INSERT and UPDATE privileges. Maybe I should create a dedicated SQL user for INSERT and UPDATE statement? Not sure if adding a little more isolation will be beneficial or not.

Also, if I use INSERT and UPDATE in my SQL statements, shouldn't the database need to be read/write? (with Apparmor)

Thanks a lot

Regards
 
Old 10-12-2012, 08:20 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I would keep a database for your user accounts separate from the rest of your site data and keep different credentials. The idea being that if you are compromised that it will help contain the damage. Some other considerations include not storing the user passwords directly. Instead only store a hashed value. When they enter their password, hash it and compare the hashes. Too many users will reuse the same password for multiple places. By using the hashes, you won't be giving away the passwords, that could be used somewhere else, if you are compromised. Also keep good backups and monitor your system closely.
 
Old 10-12-2012, 11:51 AM   #5
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Thanks for that

Quote:
Originally Posted by Noway2 View Post
One other thing to consider is that if an intruder gains shell access to your system, they will be able to read files owned by 'others', including PHP files that contain the authentication credentials to your database.
Actually, i could make that SQL-password PHP file only readable by www-data, right? I'm not sure that "Others" really need to view this file, do they?
Thanks again
 
Old 10-12-2012, 03:34 PM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Your question actually raised my curiosity. Storing the SQL passwords in a PHP script is problematic. Even using an include file outside of the directory can be a problem because if the www-user can read the file, then if Apache is compromised the intruder can access it.

Searching for how to handle this shows mostly results about preventing SQL injection, but I did find this potential gem: http://shiflett.org/articles/shared-hosting

Look specifically at the part about using environment variables. Basically, what this amounts to is defining the credentials in the Apache vhost configuration that is read as root during the Apache startup. By making this file root read only, you can prevent an intruder who has not achieved root elevation from accessing your credentials. Needless to say, if they PWN root, it is game over anyway. I haven't tried this method, but I do understand what it is saying and agree with it. It also comes from a reputable original source (php cookbook).
 
Old 10-13-2012, 02:21 AM   #7
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Thanks a lot for your help, that link was very useful.
Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Social media prototype web server database (sqlite or mysql) red_fire Linux - Server 2 08-30-2012 09:38 AM
web page on apache server query a MS Access database chackercon Programming 2 01-19-2010 10:22 AM
LXer: Protect your applications with AppArmor LXer Syndicated Linux News 0 08-22-2006 06:54 PM
Using the MySQL Database for Authentication on Apache Server ruiseixas Linux - Security 1 03-12-2004 10:32 PM
Setting up an Apache Web server with mySQL jasonX Linux - General 2 03-12-2004 12:11 PM


All times are GMT -5. The time now is 02:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration