Hi, Just wanted to drop you a short note that I one should consider making mysql listen on 127.0.0.1 only as secure default. This can be done by adding "bind-address = 127.0.0.1" to "[mysqld]" in /etc/mysql/my.cnf. At least consider adding this line commented out to make it easy for people to do this. Trivial - but would be really trivial to implement too and make any gentoo mysql installation a lot more secure-by-default. Because at the moment mysql seems to listen on all interfaces per default, forming a potential security risk by leaving the port wide open to the public. Yet I would assume that most people install mysql for webserver usage and the like (i.e. localhost connections only) and not as a dedicated database server. Those who do want to use it as dedicated server are surely skilled enough to re-enable listening on the appropriate ip/interface. :) Thanks. Regards, Daniel Reproducible: Always Steps to Reproduce: 1. netstat -ant --> :-/ 2. edit /etc/mysql/my.cnf, add "bind-address=127.0.0.1" to [mysqld], restart mysql 3. netstat -ant --> :-) Actual Results: security boost. :) Expected Results: secure-by-default installation - only listen on 127.0.0.1:3306
in cvs shortly.
Maybe I'm just doing something wrong here, but emerging the 4.0.14-r1 ebuild (from 4.0.14) still seems to leave mysql listening on external interfaces. It seems that it's still using the old /etc/mysql/my.cnf and not the new my.cnf-4.0.14-r1. As far as I could tell, there's nothing in the init script or mysqld_safe that would know to look for a certain version of my.cnf. If i move the old my.cnf and create a link to my.cnf-4.0.14-r1, it does seem to restrict access to localhost. (I would reopen this, but it doesn't seem that I can do that...)