Results 1 to 6 of 6

Thread: mysql in chrooted environment

  1. #1

    Default mysql in chrooted environment

    Hi...

    I've been banging my head against a wall for a while with this one but making very little progress.

    In order to increase security I am attempting to run MySQL in a chrooted environment whenever I do so, I get the following error

    Code:
    [Error] Fatal error: Can't change to user 'mysqluser' ; Please check that the user exists!
    I am using:-
    Opensuse 11
    MySQL 5.0.51b (built from source)

    I have written a bash script to do the configuring, making, installing and copying to the chroot environment, it also creates the users and copies the passwd, shadow and group files into the chrooted environment and sets permissions. I could post the entire script if that would help.

    The chroot environment is at
    Code:
    /func/mysql
    I am logged in as root and the command I am using to start the server is
    Code:
    chroot /func/mysql /usr/local/mysql/libexec/mysqld --user=mysqluser
    the mysql build was configured with the
    Code:
    --with-mysql-ldflags=-all-static
    option so should all be in one great big file (which it seems to be)
    My chrooting process is based on one described on this site for FreeBSD Securing MySQL: step-by-step and I'm pretty certain I've changed the correct bits.

    Any suggestions as to why this is happening and possible fixes would be greatly appreciated.

    Do I need to do anything with the passwd, group and shadow files in the chroot environment?
    Do I need any other files for these 3 to work?
    Could AppArmor be getting in the way? (I've uninstalled it but nothing seems to have changed)

    Many thanks for any help (my head is getting sore!!!!!!)
    Last edited by e-ian-taylor; 04-Aug-2008 at 15:02. Reason: I included the wrong link. Sorry

  2. #2
    ab@novell.com NNTP User

    Default Re: mysql in chrooted environment

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    The error messages states that 'mysqluser' does not exist. So, does it
    exist?

    id 'mysqluser'
    or
    getent passwdo | grep mysql

    Good luck.





    e-ian-taylor wrote:
    | Hi...
    |
    | I've been banging my head against a wall for a while with this one but
    | making very little progress.
    |
    | In order to increase security I am attempting to run MySQL in a
    | chrooted environment whenever I do so, I get the following error
    |
    |
    | Code:
    | --------------------
    | [Error] Fatal error: Can't change to user 'mysqluser' ; Please
    check that the user exists!
    | --------------------
    |
    |
    | I am using:-
    | Opensuse 11
    | MySQL 5.0.51b (built from source)
    |
    | I have written a bash script to do the configuring, making,
    | installing and copying to the chroot environment, it also creates the
    | users and copies the passwd, shadow and group files into the chrooted
    | environment and sets permissions. I could post the entire script if
    | that would help.
    |
    | The chroot environment is at
    | Code:
    | --------------------
    | /func/mysql
    | --------------------
    |
    | I am logged in as root and the command I am using to start the server
    | is
    | Code:
    | --------------------
    | chroot /func/mysql /usr/local/mysql/libexec/mysqld --user=mysqluser
    | --------------------
    |
    | the mysql build was configured with the
    |
    | Code:
    | --------------------
    | --with-mysql-ldflags=-all-static
    | --------------------
    |
    | option so should all be in one great big file (which it seems to be)
    | My chrooting process is based on one described on this site for
    | FreeBSD 'Securing MySQL: step-by-step'
    | (http://www.securityfocus.com/infocus/1726) and I'm pretty certain I've
    | changed the correct bits.
    |
    | Any suggestions as to why this is happening and possible fixes would be
    | greatly appreciated.
    |
    | Do I need to do anything with the passwd, group and shadow files in the
    | chroot environment?
    | Do I need any other files for these 3 to work?
    | Could AppArmor be getting in the way? (I've uninstalled it but nothing
    | seems to have changed)
    |
    | Many thanks for any help (my head is getting sore!!!!!!)
    |
    |
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIl5jL3s42bA80+9kRAjjyAJ9V6QNOPVyf8n7ydDYYlhZyI0PQwQCfR5nS
    OIMdfJuJM+oS6ltwZuUE6nw=
    =K0Fo
    -----END PGP SIGNATURE-----

  3. #3

    Default Re: mysql in chrooted environment

    Yes, it certainly does. Both 'id' and 'getent passwd' return mysqluser with various bits of information

    When I run mysql outside of the chroot environment (ie where it originally installed to) it works fine. When I try to run the copy in a chrooted environment I get the user error described above.

    I have copies of /etc/passwd, /etc/shadow and /etc/group inside the chroot. Do I need any other files to get mysql to recognise the users?

  4. #4
    Join Date
    Jun 2008
    Location
    West Yorkshire, UK
    Posts
    3,432

    Default Re: mysql in chrooted environment

    For security reasons, the standard SUSE installation of mysql is set up to run only from a Linux user and not from Linux root.

    Even though you say you have downloaded and installed mysql yourself, it seems possible that OpenSUSE is recognising that you are trying to run in a Linux root environment and not allowing you to procede.

    I don't understand how you get greater security by running in a chroot environment. mysql already adds a second layer of security and the advice in info mysql focuses on making the best use of the security features of mysql.

    Have you already implemented all those suggestions and are still not satisfied?

  5. #5

    Default Re: mysql in chrooted environment

    The idea of running in a chroot environment is to protect the rest of the system from any exploits that may be found in MySQL itself. Most of the security enhancements in MySQL are aimed at protecting MySQL from attacks from the outside world and have all been implemented already.

    After a long night with strace I found the cause of the problem which is this:-

    Despite being statically compiled, the program seems to require
    Code:
    /lib/ld-linux.so.2
    /lib/libc.so.6
    /lib/libnns_compat.so.2
    /lib/libnss_files.so.2
    Does anyone know what these files do? The web seems a bit lacking in descriptions of linux core libraries.
    I will investigate the configure options to see if there is anything amiss, I was under the impression that
    Code:
    --with-mysqld-ldflags=-all-static
    should have covered it

  6. #6
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: mysql in chrooted environment

    /lib/ld-linux.so.2

    Dynamic loader, handles shared libraries.

    /lib/libc.so.6

    The C runtime library

    /lib/libnss_compat.so.2

    Handles service databases that use compat in /etc/nsswitch.conf.

    /lib/libnss_files.so.2

    Handles service databases that use file in /etc/nsswitch.conf

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •