Part of the recommendation for CIS hardening 6.2.8 to ensure users' home directories are not world readable,
mysql user's home which is "/var/lib/mysql/" is currently created with 0755 right by the charm itself.
Currently recommendation from the source of the package from mysql is to set a chmod of 0700 to /var/lib/mysql with mysql:mysql as owner
Technically speaking, restricting to at least 750 instead should not be an issue since the folder for the mysql-router is restricted to mysql user anyway.
ubuntu@juju-255cc0-0-lxd-5:~$ ls /var/lib/mysql/ -la
total 12
drwxr-xr-x 3 mysql mysql 4096 Oct 18 07:53 .
drwxr-xr-x 46 root root 4096 Oct 18 07:51 ..
drwx------ 5 mysql mysql 4096 Oct 18 07:54 keystone-mysql-router
The source of the creation seems to be from ./src/lib/charm/openstack/mysql_router.py , in install method with the following code at line 305-309 :
# Create the directory
if not os.path.exists(self.mysqlrouter_home_dir): ch_core.host.mkdir( self.mysqlrouter_home_dir, owner=self.mysqlrouter_user, group=self.mysqlrouter_group, perms=0o755)
Part of the recommendation for CIS hardening 6.2.8 to ensure users' home directories are not world readable,
mysql user's home which is "/var/lib/mysql/" is currently created with 0755 right by the charm itself.
Currently recommendation from the source of the package from mysql is to set a chmod of 0700 to /var/lib/mysql with mysql:mysql as owner
Technically speaking, restricting to at least 750 instead should not be an issue since the folder for the mysql-router is restricted to mysql user anyway. juju-255cc0- 0-lxd-5: ~$ ls /var/lib/mysql/ -la mysql-router
ubuntu@
total 12
drwxr-xr-x 3 mysql mysql 4096 Oct 18 07:53 .
drwxr-xr-x 46 root root 4096 Oct 18 07:51 ..
drwx------ 5 mysql mysql 4096 Oct 18 07:54 keystone-
The source of the creation seems to be from ./src/lib/ charm/openstack /mysql_ router. py , in install method with the following code at line 305-309 : exists( self.mysqlroute r_home_ dir):
ch_ core.host. mkdir(
self. mysqlrouter_ home_dir,
owner= self.mysqlroute r_user,
group= self.mysqlroute r_group,
perms= 0o755)
# Create the directory
if not os.path.