Re: chroot and FHS

To: debian-mentors@lists.debian.org
Subject: Re: chroot and FHS
From: Ingo Saitz <Ingo.Saitz@stud.uni-hannover.de>
Date: Thu, 25 Jan 2001 17:30:16 +0100
Message-id: <20010125173015.C5518@pinguin.subspace.exe>
In-reply-to: <20010124145046.B29978@westend.com>; from ch@westend.com on Wed, Jan 24, 2001 at 02:50:46PM +0100
References: <20010124145046.B29978@westend.com>

On Wed, Jan 24, 2001 at 02:50:46PM +0100, Christian Hammers wrote:
> I like to build my mysql package with chroot support and therfore jail it
> somewhere under /var/lib/mysql and link the log files to /var/log.

Do you plan to make them officially available in debian?

> I either statically link it so that it can be run from /usr/sbin and then
> live in /var/lib because I don't want to have binaries in /var  or
> hardlink the libs from /usr/lib and /lib to /var/lib/mysql? 
> Without trying it out I would say that the latter way is preferred, isn't it?

No of course not! Just consider an attacker breaking your mysql
daemon and gaining root, she will have access to system wide
libraries! This would defeat the purpose of a chroot environment.

You either have to copy the libraries into the chroot environment
or provide a statically linked binary. Also, remember to not to
start mysql with a working directory outside the chroot.

    Ingo
-- 
16                      Hard coded constant for amount of room allowed for
                        cache align and faster forwarding (tunable)

-- seen in /usr/src/linux-2.2.14/net/TUNABLE

Reply to:

Follow-Ups:
- Re: chroot and FHS
  - From: Christian Hammers <ch@westend.com>

References:
- chroot and FHS
  - From: Christian Hammers <ch@westend.com>

Prev by Date: looking for chbg sponsor
Next by Date: Re: looking for chbg sponsor
Previous by thread: Re: chroot and FHS
Next by thread: Re: chroot and FHS
Index(es):
- Date
- Thread