[debian-mysql] Bug#595120: suggstion for resolution to bug#595120 - skip-name-resolve in mysql-server-5.1

Clint Byrum clint at ubuntu.com
Thu Oct 7 08:12:39 UTC 2010


Reverse-dns is one of the least reliable forms of host identification
one can use. While source IP address isn't much better, it at least
requires a full man in the middle or layer-2 compromise. With the
default setting in mysql of resolving each and every hostname, one
gets a false sense of security. Its quite simple for a dns cache
poisoning attack from anywhere to end up allowing somebody to connect
from the wrong host.

Also, running with skip-name-resolve means one less step to perform
while connecting to the server, resulting in lower connection
latency. It also means more reliability, as mysql will continue to
function even if its DNS resolvers are down.

Even if this option is left on, its reasonable to suggest that mysql
can be *started* before the local named that it might use is available
for resolving names. Any named that does rely on a local mysqld
should be configured, by default, to connect to mysql on the
localhost/unix socket anyway, so it won't cause any issues to place
it after mysqld for startup. Likewise, mysqld will be functional
enough to function for any local service that needs it between
starting and a local resolver starting.

Here is a debdiff which just removes $named from the Should portions.
While I do think skip-name-resolve is actually the better default
mode, it will likely break peoples systems on upgrade if it is
forcibly turned off, and could even open security holes if certain
hostnames have been restricted while others, like '%' have more
capabilities. That change would need to go into squeeze+1 after
some discussion and possibly include adding a debconf warning/question.


diff -u mysql-5.1-5.1.49/debian/mysql-server-5.1.mysql.init mysql-5.1-5.1.49/debian/mysql-server-5.1.mysql.init
--- mysql-5.1-5.1.49/debian/mysql-server-5.1.mysql.init
+++ mysql-5.1-5.1.49/debian/mysql-server-5.1.mysql.init
@@ -4,8 +4,8 @@
 # Provides:          mysql
 # Required-Start:    $remote_fs $syslog
 # Required-Stop:     $remote_fs $syslog
-# Should-Start:      $network $named $time
-# Should-Stop:       $network $named $time
+# Should-Start:      $network $time
+# Should-Stop:       $network $time
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start and stop the mysql database server daemon
diff -u mysql-5.1-5.1.49/debian/changelog mysql-5.1-5.1.49/debian/changelog
--- mysql-5.1-5.1.49/debian/changelog
+++ mysql-5.1-5.1.49/debian/changelog
@@ -1,3 +1,10 @@
+mysql-5.1 (5.1.49-1.1) unstable; urgency=low
+
+  * debian/mysql-server-5.1.mysql.init: Remove $named from 
+      Should-Start/Should-Stop (closes: #595120)
+
+ -- Clint Byrum <clint at ubuntu.com>  Thu, 07 Oct 2010 01:02:49 -0700
+
 mysql-5.1 (5.1.49-1) unstable; urgency=low
 
   * New upstream release.






More information about the pkg-mysql-maint mailing list