No: /etc/pki/CA should NOT be group writeable. Ditto for /etc/pki/tls/cernts and private
Ok, yeah I can understand that. I'll correct it. Still need a way to get SSL enabled however. Any suggestions there?
Thanks Tim
On Thu, Mar 12, 2015 at 11:40 AM, m.roth@5-cent.us wrote:
Tim Dunphy wrote:
The mysqld process runs as the mysql user. It's parent which is the mysqld_safe runs as the root user. That being said the mysql user needs to have at least read permission to the locations where the ssl
files
are located. By default on Centos the /etc/pki/CA/private directory
has
its directory permissions to only allow the root user. If the mysql
user
cannot read all ssl files SSL will not work.
<snip> > Thanks for your reply! That answer actually makes complete sense. Ok, so > here is what I tried, so far without success. I gave the mysql group > ownership of all related directories. And changed group permissions so > that group can access them: > > [root@web2:/etc] #ls -ld /etc/pki/CA > drwxrwxr-x. 6 root mysql 4096 Jan 20 15:58 /etc/pki/CA > [root@web2:/etc] #ls -ld /etc/pki/tls/{private,certs} > drwxrwxr-x. 2 root mysql 4096 Mar 11 22:57 /etc/pki/tls/certs > drwxrwxr-x. 2 root mysql 4096 Mar 11 22:57 /etc/pki/tls/private > > Restarted the mariadb service. And when I took another look at the SSL > variable, it's still showing that SSL is not enabled: <snip> Some of those will *not* work. For example, you will has ssh issues yourself is ~/.ssh is *anything* other than 700.
No: /etc/pki/CA should NOT be group writeable. Ditto for /etc/pki/tls/cernts and private.
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos