Re: chroot and FHS
Hi
On Thu, Jan 25, 2001 at 05:30:16PM +0100, Ingo Saitz wrote:
> > I like to build my mysql package with chroot support and therfore jail it
> > somewhere under /var/lib/mysql and link the log files to /var/log.
> Do you plan to make them officially available in debian?
yes. Although choiceable by a debconf swich as many installations rely on
"SELECT ... INTO OUTFILE.." etc.
> You either have to copy the libraries into the chroot environment
> or provide a statically linked binary. Also, remember to not to
> start mysql with a working directory outside the chroot.
Well here lies the problem. MySQL has a --chroot=DIR option but if started
this way it still uses the databases in /var/lib/mysql but writes the
logfile and OUTFILE data to the chroot. It also does not require any additional
libraries as it seems to be able to continue using the existant file
descriptiors.
Would anybody say that in this case I should not rely on mysql´s --chroot but
instead chroot it myself?
This would involve more work and as mysql runs under a seperate UID it should
not be able to harm the system libraries it is linked to.
It would on the other hand be a good jail for poeple trying to get
information by INFILE/OUTFILE tricks and in most cases buffer overflow
rootshells (as there would be no shells).
> Ingo
bye,
-christian-
--
Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
ch@westend.com Internet & Security for Professionals Fax 0241/911879
WESTEND ist CISCO Systems Partner - Premium Certified
Reply to: