NYCPHP Meetup

[Anthony Wlodarski]

MySQL does rotate the slow query log at least on my systems it is automated.  I did a quick look at the MySQL man pages just to verify if it does behave this way but could not confirm.  This could present a problem when MySQL goes to rotate it off.  If it uses an internal "cp -p" then permissions and the such will just be copied to the backup logs.  However I don't know if the original file is truncated or recreated.  If it is recreated then MySQL will only recreate it with the default 640 permissions.  If it is just truncated then you are in the clear but I am willing to be on the aforementioned.

-----Original Message-----
From: "Matt Juszczak" <matt at atopia.net>
Sent: Tuesday, September 7, 2010 2:36pm
To: "NYPHP Talk" <talk at lists.nyphp.org>
Subject: Re: [nycphp-talk] MySQL slow query log/general mysql log

But that permission won't hold if/when MySQL rotates/re-creates the file, 
right?  But I guess for this file, MySQL itself won't ever rotate it 
unlike the binlogs.

On Tue, 7 Sep 2010, Anthony Wlodarski wrote:

> Then 755 should be appropriate.
> 
> -----Original Message-----
> From: "Matt Juszczak" <matt at atopia.net>
> Sent: Tuesday, September 7, 2010 2:29pm
> To: "NYPHP Talk" <talk at lists.nyphp.org>
> Subject: Re: [nycphp-talk] MySQL slow query log/general mysql log
> 
> Our setups are puppetized. There is a standard directory for MySQL log
> information. As we don't want to allow sudo for users just to see the
> file, I'd rather make it globally readable. Adding users to a group would
> be less trivial, as most of our user groups are managed by LDAP, while the
> mysql group is an actual systems group in /etc/group, which I don't want
> to manage manually.
> 
> So really, the group option is out - the only options I see are setting
> global read on the file, or adding the users that need to access it to
> sudo.
> 
> I'm not too worried about the file being accessed by other means - the
> server is a dedicated MySQL box.
> 
> Thanks,
> 
> Matt
> 
> On Tue, 7 Sep 2010, Anthony Wlodarski wrote:
> 
> > I don't know what type of OS this is on Nix/Windows/Other but when MySQL creates a default slow queries log file for
> > Ubuntu it places this in /var/log/mysql which is not accessible to anyone other than super user.  By default this file
> is
> > 640 so that owners and groups may access it.  For example on Ubuntu if you part of the "adm" group you can read the
> > file.  I would steer away from global reading permissions on that log.
> >
> > Going into the background on this why do you want to enable all users to read the file?  If so I would recommend
> creating
> > a group and adding users to the group for viewing permissions.  The logs information could be used against you
> negatively
> > if an attacker stumbles upon your file (somehow made available through your webserver) and knows how your database
> reads
> > and writes the information passed to it.
> >
> > Internally no daemons such as the MySQL Daemon will bark about permissions to the file as they have access to the log
> by
> > default.
> >
> > -----Original Message-----
> > From: "Matt Juszczak" <matt at atopia.net>
> > Sent: Tuesday, September 7, 2010 2:09pm
> > To: talk at lists.nyphp.org
> > Subject: [nycphp-talk] MySQL slow query log/general mysql log
> >
> > Hi folks,
> >
> > Has anyone ever seen any negative effects of changing the permissions of
> > the MySQL slow query log (not changing umask or anything like that) once
> > MySQL has created the file? I'd like to make it 755 to allow for global
> > read only access.
> >
> > -Matt
> > _______________________________________________
> > New York PHP Users Group Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > http://www.nyphp.org/Show-Participation
> >
> >
> >
> > Anthony Wlodarski
> > Lead Software Engineer
> > Dating 2.0
> > 646 285 0500 x217
> > anthony at dating2p0.com
> >
> >_______________________________________________
> New York PHP Users Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> http://www.nyphp.org/Show-Participation
> 
> 
> Anthony Wlodarski
> Lead Software Engineer
> Dating 2.0
> 646 285 0500 x217
> anthony at dating2p0.com
> 
>_______________________________________________
New York PHP Users Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

http://www.nyphp.org/Show-Participation


Anthony Wlodarski
Lead Software Engineer
[http://www.dating2p0.com] Dating 2.0
646 285 0500 x217
anthony at dating2p0.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20100907/f1657743/attachment.html>