[SOLVED] Will Apparmor protect my MySQL database if my Apache web server is compromised?

Hi,

I was wondering if I create two Apparmor profiles, for mysql and apache, is there a way I can enable Apache to access my database without an attacker being able to steal my database if he takes control of Apache?

Thanks in advance.

Apparmor, like SELinux is a form of mandatory access control that applies rules and roles to applications. With Apparmor you can specify which processes and applications can have access to certain directories, files, and other applications. In the context of your question, you want to know if you can deny the Apache (user) access to MySQL. The short answer is that yes, you could. In fact you can deny SQL access at several layers, including basic database access permissions. The problem you face is that if you deny access to the database, you can't use it as a back end for your web pages. There is no easy way to distinguish between intruder access via Apache and normal Apache access. This importance of this point bears repeating. You state that you are concerned about your database being "stolen", but presumably you want to make it's contents publicly available via your website? One other thing to consider is that if an intruder gains shell access to your system, they will be able to read files owned by 'others', including PHP files that contain the authentication credentials to your database.

What is more important, as well as more practical, is to have safeguards in place to prevent destruction and modification of your database should Apache, or any other process, become compromised by an intruder. As with most things security related, you will want to do this on multiple layers. Start with prepared statements in your code, working with sanitized data. Only allow read (select) access on your database. Enforce read only access with Aparmor and use strong passwords on both your root account and your root level SQL user. Last, but definitely not least, keep periodic backups of your critical database information.

Hi,

Thanks for your response. Yes, my website needs to constantly access the database. Since there is a "sign up" page on my website, I will need to grant the SQL user with INSERT and UPDATE privileges. Maybe I should create a dedicated SQL user for INSERT and UPDATE statement? Not sure if adding a little more isolation will be beneficial or not.

Also, if I use INSERT and UPDATE in my SQL statements, shouldn't the database need to be read/write? (with Apparmor)

Thanks a lot

Regards

I would keep a database for your user accounts separate from the rest of your site data and keep different credentials. The idea being that if you are compromised that it will help contain the damage. Some other considerations include not storing the user passwords directly. Instead only store a hashed value. When they enter their password, hash it and compare the hashes. Too many users will reuse the same password for multiple places. By using the hashes, you won't be giving away the passwords, that could be used somewhere else, if you are compromised. Also keep good backups and monitor your system closely.

Thanks for that

Quote:

Originally Posted by Noway2 One other thing to consider is that if an intruder gains shell access to your system, they will be able to read files owned by 'others', including PHP files that contain the authentication credentials to your database.

Actually, i could make that SQL-password PHP file only readable by www-data, right? I'm not sure that "Others" really need to view this file, do they?
Thanks again

Your question actually raised my curiosity. Storing the SQL passwords in a PHP script is problematic. Even using an include file outside of the directory can be a problem because if the www-user can read the file, then if Apache is compromised the intruder can access it.

Searching for how to handle this shows mostly results about preventing SQL injection, but I did find this potential gem: http://shiflett.org/articles/shared-hosting

Look specifically at the part about using environment variables. Basically, what this amounts to is defining the credentials in the Apache vhost configuration that is read as root during the Apache startup. By making this file root read only, you can prevent an intruder who has not achieved root elevation from accessing your credentials. Needless to say, if they PWN root, it is game over anyway. I haven't tried this method, but I do understand what it is saying and agree with it. It also comes from a reputable original source (php cookbook).

Thanks a lot for your help, that link was very useful.
Regards