MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » June 2014

RE: problems starting mysql qp2term vs qsh



fixed

Jim,

I think you're thinking of the --skip-grant-tables option (
http://preview.tinyurl.com/k6l3fhw), which definitely has the potential to
be a very big security hole. (And it's a reason that MySQL admins need to
make sure that all MySQL configuration routes--.cnf files, startup
scripts, the mysql/bin directory, and the mysqldata directory--are tightly
controlled.)

But mysqld_safe itself does not introduce any specific security concerns.
Because mysqld_safe is simply a wrapper around mysqld, it will use exactly
the same security configuration as starting mysqld directly. mysqld_safe
is the preferred way to run MySQL in every other platform that I know of,
and it's the recommended way to run MySQL on IBM i *if* one is not using
the standard Zend install. "_safe" really is safe!

I do agree with your other point, though, that anyone using the Zend
distribution would generally be best served by using the Zend-supplied
commands, subsystems, etc. It's not clear to me whether that's Dale's
situation or not.

Tim



date: Wed, 25 Jun 2014 13:00:03 -0500
from: "Jim Oberholtzer" <midrangel@xxxxxxxxxxxxxxxxx>
subject: RE: problems starting mysql qp2term vs qsh

Yes, that starts MySQL in a mode that does not require authentication to
access the databases, in other words in a safe environment. Usually
it's
only used for setting/resetting the root password and other limited
administration tasks. Logging is not the issue; lack of MySQL enforced
authorities is the problem.

Also consider this. If the MySQL application needs to access DB/2 data
(maybe even using the DB/2 engine so the MySQL data is actually stored
in
DB/2) and the deamon runs with a profile that has very significant
authority, then the MySQL access will use that authority to access the
data.
Maybe not such a good thing? Of course your situation may not be a
significant enough exposure to care, but at some point someone will care
about it.

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Timothy P Clark
Sent: Wednesday, June 25, 2014 12:24 PM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: problems starting mysql qp2term vs qsh

Hi Jim,

I'm confused by your statement about the insecurity of safe mode. Are
you
referring to the fact that the command invoked to start the MySQL server
daemon is mysqld_safe (as opposed to calling mysqld directly)? The
script
invoked with mysqld_safe is just a wrapper around mysqld that sets up
some
error logging and allows the server to restart if it crashes. Are you
concerned about a security exposure with the logging?

Tim


date: Wed, 25 Jun 2014 11:28:19 -0500
from: "Jim Oberholtzer" <midrangel@xxxxxxxxxxxxxxxxx>
subject: RE: problems starting mysql qp2term vs qsh

Another thing I notice is it appears as though you are running MySQL
in "safe" mode which is not secure nor is it meant for real
production.

You don't mention how you put MySQL on the system, but if it's part of
the
Zend Server distribution then I strongly suggest you start it there
manually, and if the subsystem is set up properly you would not need
to start MySQL as a Deamon in QUSRSYS, rather it would run in its own
subsystem. That subsystem has the pre/auto start jobs needed to
start
MySQL.

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Mark
S Waterbury
Sent: Wednesday, June 25, 2014 10:43 AM
To: Midrange Systems Technical Discussion
Subject: Re: problems starting mysql qp2term vs qsh

Dale:

The STRQSH (or QSH) command invokes the OS/400 QShell ... but that
does
not
run in PASE, and is not the same as the PASE shell.

You need to CALL QP2SHELL or QP2SHELL2 in order to run that command in

a PASE environment.

See:


http://www,mcpressonline.com/tips-techniques/programming/techtip-qshell-vs-p


ase.html

for a good explanation of the differences.

Hope that helps,

Mark S. Waterbury

> On 6/25/2014 10:47 AM, Dale Janus wrote:
We need mysql to run some programs on our internal website. We
cannot get a QSH script to start it automatically, even though it
looks identical to entering the commands in QP2TERM.

The only way we can start MYSQL is to enter these three lines from a

command line:

Call QP2TERM

cd /QOpenSys/usr/local/mysql/mysql-5.1.39-i5os-power-64bit

bin/mysqld_safe --user=mysql &


Lately we have been taking down qinter subsystem at night and that
ends mysql since qp2term is tied to an emulation session.

We created a cl command using qsh so we could automate the start up
process

QSH CMD('cd +
/QOpenSys/usr/local/mysql/mysql-5.1.39-i5os+
-power-64bit; bin/mysqld_safe --user=mysql &')

This command looks like it works, but our website reports mysql not
running errors:Warning: mysql_connect(): No such file or directory
in /www/mysql.php on line 2 No such file or directory


This automated shut down CL command works:


QSH CMD('cd +
/QOpenSys/usr/local/mysql/mysql-5.1.39-i5os+
-power-64bit; bin/mysqladmin -u root shutdown')

When we run the qp2term commands, it looks like this:

$
> cd /QOpenSys/usr/local/mysql/mysql-5.1.39-i5os-power-64bit
$
> bin/mysqld_safe --user=mysql &
[1] 1177113
$ 140625 10:02:50 mysqld_safe Logging to
'/QOpenSys/mysql/data/SPT400.SPECIAL
TYPIPE.COM.err'.
140625 10:02:59 mysqld_safe Starting mysqld daemon with databases

from /QOpen Sys/mysql/data
140625 10:03:40 mysqld_safe mysqld from pid file
/QOpenSys/mysql/data/SPT400.
SPECIALTYPIPE.COM.pid ended



When we run the CL program calling QSH it looks like this:

140625 10:04:19 mysqld_safe Logging to
'/QOpenSys/mysql/data/SPT400.SPECIALTY
PIPE.COM.err'.
140625 10:04:31 mysqld_safe Starting mysqld daemon with databases
from /QOpen Sys/mysql/data
140625 10:04:36 mysqld_safe mysqld from pid file
/QOpenSys/mysql/data/SPT400.
SPECIALTYPIPE.COM.pid ended
Press ENTER to end terminal session.

(it does not matter if I press ENTER to end terminal session or not)

even though it looks like the QSH script is working just like the
QP2TERM commands, MYSQL does not work on our web site. Can anyone
explain the difference ?

---Dale














Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact