MySQL server config file permissions on Ubuntu 18.04

Question

Today, I realized that on Ubuntu 18.04, the usual MySQL (version 5.7.26) config file in /etc/mysql/my.cnf is a symbolic link and and world-readable/writable. What is interesting is that the file that it points to is another symbolic link pointing back to my.cnf. Why is that? And if we want to change the config, which file should we edit? Also, isn't it a really awful decision to make it world-readable/writable by default?

# ls -l /etc/mysql/
drwxr-xr-x 2 root root 4096 May 21 16:30 conf.d
-rwxr-xr-x 1 root root  120 Apr 25 18:10 debian-start
-rw------- 1 root root  317 May 21 16:30 debian.cnf
lrwxrwxrwx 1 root root   24 May 21 16:30 my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root  839 Aug  3  2016 my.cnf.fallback
-rw-r--r-- 1 root root  682 Jan 12  2018 mysql.cnf
drwxr-xr-x 2 root root 4096 May 21 16:30 mysql.conf.d

# ls -l /etc/alternatives/my.cnf
lrwxrwxrwx 1 root root 20 May 21 16:30 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf

Note: This is a clean Ubuntu & MySql installation with mysql_secure_installation command. Nothing else has been changed.

score 3 · Accepted Answer · answered May 21 '19 at 17:12

Symlinks are always world readable/writeable. The permissions of the target file is the only thing that matters. Changing permissions on a symlink changes permissions on target file:

$ ls -l
total 0
-rw-r--r-- 1 vidarlo users 0 May 21 19:10 a
lrwxrwxrwx 1 vidarlo users 1 May 21 19:10 b -> a
$ chmod 755 b
$ ls -la
-rwxr-xr-x 1 vidarlo users 0 May 21 19:10 a
lrwxrwxrwx 1 vidarlo users 1 May 21 19:10 b -> a

The target, /etc/mysql/mysql.cnf is not world writable. Thus a user will not be able to overwrite it, independent of the symlinks.

MySQL server config file permissions on Ubuntu 18.04

1 Answers1

Linked