This repository has been archived by the owner. It is now read-only.

Update mysql formula to listen on 127.0.0.1 by default #20090

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
3 participants
@slottermoser
Contributor

slottermoser commented May 26, 2013

It's generally not a good idea to allow remote connections to MySQL. Make it safe by default. This way it listens only for local connections instead of allowing for remote connections. Otherwise MySQL is open for remote connections, and since the default password is blank, it is trivial for anyone on your network to login and drop all your tables :)

Update mysql formula to listen on 127.0.0.1 by default
It's generally not a good idea to allow remote connections to mysql. Make it safe by default.
@adamv

This comment has been minimized.

Contributor

adamv commented May 26, 2013

This is probably a good idea, but when I need to use MySQL on an OS X host I usually end up running it in a Linux VM anyway.

Do we want to have a localhost-by-default policy for all server software that we provide?

it is trivial for anyone on your network to login and drop all your tables

There's a point where "know what you are doing by installing servers" is acceptable though.

@slottermoser

This comment has been minimized.

Contributor

slottermoser commented May 26, 2013

@adamv I absolutely agree that those who install servers should know what they're doing in the first place. Still, I would expect a db installation on my OS X box, which is most likely used for development purposes, should allow only local connections by default. Let's consider a few scenarios:

  1. I am a web developer who needs a MySQL server for my dev environment. I'm using OS X, and I love homebrew, so I do a quick brew install mysql. "That was easy!" I think to myself as I sip a drink at my local coffee shop, unaware that I have MySQL on a public port 3306 just waiting for my neighbor to play with. Hopefully I'm not a dev who puts sensitive information in my dev db (if I am, I should probably be fired).
  2. I'm a bit savvier of a developer and notice port 3306 is open over all network interfaces. "I should be able to lock this down easily enough". A quick Google search turns into a bit longer of a routine while I try to figure out how to modify the LaunchAgent (that was me in real life). 20-30 minutes later I finish and think to myself, "Why wasn't that the default?"

Consider the opposite scenario, someone who wants MySQL to allow remote connections. He or she opens up the LaunchAgent plist, deletes the argument to bind to 127.0.0.1, reloads the LaunchAgent, and goes about his or her merry way. Scenarios 1 and 2 above are mitigated by a helpful default.

Deciding what to do with all server software might be beyond the scope of this pull request, but that is what a lot of development tools that install server software on OS X/Windows machines do. I guess it depends on whether the main target for homebrew's server packages is for development or production environments. Considering that most people deploy to production on Linux boxes, I would assume the first.

@MikeMcQuaid

This comment has been minimized.

Member

MikeMcQuaid commented May 27, 2013

I'm with @slottermoser here and I think this probably should apply to all server software that is almost certainly there for development instead of production use (e.g. an AirDisplay server or something seems reasonable to not bind to localhost whereas MySQL should be bound).
@adamv Mind if I merge?

@adamv

This comment has been minimized.

Contributor

adamv commented May 27, 2013

Sound fine, I'll pull this.

@adamv adamv closed this in 2e81448 May 27, 2013

handyman5 pushed a commit to handyman5/homebrew that referenced this pull request Oct 7, 2013

mysql: listen on 127.0.0.1 by default
It's generally not a good idea to allow remote connections to mysql.
Make it safe by default.

Closes Homebrew#20090.

Signed-off-by: Adam Vandenberg <flangy@gmail.com>

@Homebrew Homebrew locked and limited conversation to collaborators Feb 16, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.