[debian-mysql] MySQL "hardening?"

Otto Kekäläinen otto at seravo.fi
Fri Apr 3 18:03:19 UTC 2015


Hello Ralf!

2015-04-02 17:53 GMT+03:00 Ralf G. R. Bergs <Ralf+Debian at bergs.biz>:
> Hi guys.
>
> Is there any (documented?) security hardening you're applying to the
> standard (upstream) distribution of MySQL when it's "Debianized?"

In Debian we used to apply the hardening-wrapper package/tool in
mysql-5.5 and mariadb-5.5 packages until if was deprecated in the
Debian policy. In mysql-5.6 and mariadb-10.0 we are using the new
compiler flags based hardening. See e.g. the rules file
https://github.com/ottok/mariadb-10.0/blob/master/debian/rules

I am though not sure that we are using the most optimal hardening
flags. I am also not aware of any tools that can be used on binaries
to test if they really are hardened (e.g. random memory positions) or
not, because I suspect that some of the compiler hardening flags might
not even have an effect at the moment.

If you are an expert in this area or even just somebody with basic
skills and have time to research it, I am sure everybody would be glad
to get contributions on how to improve the current situation.

https://wiki.debian.org/Hardening



More information about the pkg-mysql-maint mailing list