apache+php+mysql

sycamorex · 08-28-2009, 05:37 AM

I've got a general question about apache/mysql. I learn those things at home. Everything seems to work fine but it's a very basic setup. My question is related to users/permissions.
When dealing with mysql what is the best practice in terms of users and security. Shall I log in to it as mysql or my usual login? Same thing about apache (root? sycamorex? apache?) Who should be the owner of the files in htdocs?
thanks

Wim Sturkenboom · 08-29-2009, 01:45 AM

There is no mysql user in mysql (at least up to Slackware 12). The mysql user is a system user only (and does not have a shell so it can not be used to login). I use my normal system account to login to mysql.

Code:

wim@btd-techwb01:~$ mysql -u root -p
or
wim@btd-techwb01:~$ mysql -u wim -p

Leave the -p option out if the mysql user (root or wim) does not have a password.

The mysql root user creates the databases and grants the permissions to mysql users.

Code:

mysql> create database db1;
mysql> create database db2;
mysql> grant all privileges on db1.* to 'sycamorex'@'localhost' identified by 'my password';
mysql> grant all privileges on db2.* to 'sycamorex'@'localhost';
or
mysql> grant all privileges on *.* to 'sycamorex'@'localhost' identified by 'my password';

After this, the user sycamorex can maintain the (specified) databases.

Code:

sycamorex@yourpc:~$ mysql db1 -p
sycamorex@yourpc:~$ mysql db2 -p

The mysql client will pick up your username from your login and use that for the login to the mysql server; if that does not work as the mysqluser does not match the system user, you need to specify the username with the -u option (as shown earlier).

see http://www.linuxquestions.org/questi...gon-id-746757/ for cleaning up mysql after install

My apache configurations don't work on htdocs. I move the websites to the user's home directory. As long as apache can read there, it will be able to serve pages. The only issue with that is that apache can not write there (not every website requires this but mine do). See http://www.linuxquestions.org/questi...-group-730046/ how I solved that on a Slackware 12 server.

Below my virtual host configuration for apache

Code:

#
# Use name-based virtual hosting.
#
NameVirtualHost *:80

# catch-all
<VirtualHost *:80>
    ServerAdmin me@mydomain
    DocumentRoot /srv/httpd/htdocs
    ServerName btd-techweb02
</VirtualHost>

# site 1
<VirtualHost *:80>
    ServerAdmin me@mydomain
    DocumentRoot /home/wim/www/site1/web
    ServerName site1.btd-techweb02
    ErrorLog /var/log/httpd/error_log
    CustomLog /var/log/httpd/access_log common

#WimS
# this is required to prevent message 403 "Forbidden"
    <Directory "/home/wim/www/site1/web">
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

# site2
<VirtualHost *:80>
    ServerAdmin me@mydomain
    DocumentRoot /home/wim/www/site2/web
    ServerName site2.btd-techweb02
    ErrorLog /var/log/httpd/error_log
    CustomLog /var/log/httpd/access_log common

#WimS
# this is required to prevent message 403 "Forbidden"
    <Directory "/home/wim/www/site2/web">
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

The bold lines tell apache where to find the webpages.

One additional advice: for any php code that you want to keep secure, create a directory next to the web directory (I call them inc). You can store e.g. a php file that contains the credentials for the mysql databases; you can also store php files in that same directory that contain sql statements. A php page can include those files, apache can read them, but visitors can not access them as it's outside the documentroot.

Code:

/home
  +--- wim
        +--- www
              +--- site1
                    +--- web
                    +--- inc

sycamorex · 08-29-2009, 05:15 AM

Thanks Wim.
It's clarified things for me. I'll keep reading.