In this section, we discuss MySQL standard security procedures as they apply to running MySQL Cluster.
In general, any standard procedure for running MySQL securely
also applies to running a MySQL Server as part of a MySQL
Cluster. First and foremost, you should always run a MySQL
Server as the
mysql system user; this is no
different from running MySQL in a standard (non-Cluster)
mysql system account should
be uniquely and clearly defined. Fortunately, this is the
default behavior for a new MySQL installation. You can verify
that the mysqld process is running as the
mysql by using the system command
such as the one shown here:
ps aux | grep mysqlroot 10467 0.0 0.1 3616 1380 pts/3 S 11:53 0:00 \ /bin/sh ./mysqld_safe --ndbcluster --ndb-connectstring=localhost:1186 mysql 10512 0.2 2.5 58528 26636 pts/3 Sl 11:53 0:00 \ /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql \ --datadir=/usr/local/mysql/var --user=mysql --ndbcluster \ --ndb-connectstring=localhost:1186 --pid-file=/usr/local/mysql/var/mothra.pid \ --log-error=/usr/local/mysql/var/mothra.err jon 10579 0.0 0.0 2736 688 pts/0 S+ 11:54 0:00 grep mysql
Never run mysqld as the system root user. Doing so means that potentially any file on the system can be read by MySQL, and thus—should MySQL be compromised—by an attacker.
As mentioned in the previous section (see Section 22.214.171.124, “MySQL Cluster and MySQL Privileges”), you should always set a root password for the MySQL Server as soon as you have it running. You should also delete the anonymous user account that is installed by default. You can accomplish these tasks using the following statements:
mysql -u rootmysql>
DELETE FROM mysql.user->
Many of the MySQL Cluster utilities such as
ndb_select_all also work without
authentication and can reveal table names, schemas, and data.
By default these are installed on Unix-style systems with the
wxr-xr-x (755), which means
they can be executed by any user that can access the
See Section 15.4, “MySQL Cluster Programs”, for more information about these utilities.