Documentation Home
MySQL 5.5 Reference Manual
Related Documentation Download this Manual Excerpts from this Manual

MySQL 5.5 Reference Manual  /  ...  /  How to Protect or Change the MySQL Unix Socket File

B.5.4.5 How to Protect or Change the MySQL Unix Socket File

The default location for the Unix socket file that the server uses for communication with local clients is /tmp/mysql.sock. (For some distribution formats, the directory might be different, such as /var/lib/mysql for RPMs.)

On some versions of Unix, anyone can delete files in the /tmp directory or other similar directories used for temporary files. If the socket file is located in such a directory on your system, this might cause problems.

On most versions of Unix, you can protect your /tmp directory so that files can be deleted only by their owners or the superuser (root). To do this, set the sticky bit on the /tmp directory by logging in as root and using the following command:

shell> chmod +t /tmp

You can check whether the sticky bit is set by executing ls -ld /tmp. If the last permission character is t, the bit is set.

Another approach is to change the place where the server creates the Unix socket file. If you do this, you should also let client programs know the new location of the file. You can specify the file location in several ways:

You can test whether the new socket location works by attempting to connect to the server with this command:

shell> mysqladmin --socket=/path/to/socket version

Download this Manual
User Comments
  Posted by on January 25, 2006
Thanks Elliot! Here's a more detailed example:

#!/opt/bin/perl -w
use DBI;
$ENV{MYSQL_UNIX_PORT} = "/home/me/mysql/mysql.sock";
my $dbh = DBI->connect("DBI:mysql:database=mydb;host=localhost", "user", "passwd", {'RaiseError' => 1});

Do work here...


  Posted by Peter Kristolaitis on October 10, 2006
Setting the sticky bit is sufficient in most cases, but a rogue process run in root's context (or the MySQL user context) can still remove the pipe file.

For additional security on BSD-based platforms (I tested with FreeBSD, I think OpenBSD also supports this), set the SAPPEND flag on the file:

chflags sappend /tmp/mysql.sock

This makes the file append-only (which is perfect for a pipe), and cannot be removed without first unsetting the flag.

My first inclination was to use the SCHG flag, but that means nothing can write to the pipe. :)

I don't think Linux has anything like BSD filesystem flags, so I don't think this works on Linux systems.

Sign Up Login You must be logged in to post a comment.