mysql in chrooted environment

English Applications
1

Hi…

I’ve been banging my head against a wall for a while with this one but making very little progress.

In order to increase security I am attempting to run MySQL in a chrooted environment whenever I do so, I get the following error

[Error] Fatal error: Can't change to user 'mysqluser' ; Please check that the user exists!

I am using:-
Opensuse 11
MySQL 5.0.51b (built from source)

I have written a bash script to do the configuring, making, installing and copying to the chroot environment, it also creates the users and copies the passwd, shadow and group files into the chrooted environment and sets permissions. I could post the entire script if that would help.

The chroot environment is at

/func/mysql

I am logged in as root and the command I am using to start the server is

chroot /func/mysql /usr/local/mysql/libexec/mysqld --user=mysqluser

the mysql build was configured with the

--with-mysql-ldflags=-all-static

option so should all be in one great big file (which it seems to be)
My chrooting process is based on one described on this site for FreeBSD Securing MySQL: step-by-step and I’m pretty certain I’ve changed the correct bits.

Any suggestions as to why this is happening and possible fixes would be greatly appreciated.:slight_smile:

Do I need to do anything with the passwd, group and shadow files in the chroot environment?
Do I need any other files for these 3 to work?
Could AppArmor be getting in the way? (I’ve uninstalled it but nothing seems to have changed)

Many thanks for any help (my head is getting sore!!!)

2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The error messages states that ‘mysqluser’ does not exist. So, does it
exist?

id ‘mysqluser’
or
getent passwdo | grep mysql

Good luck.

e-ian-taylor wrote:
| Hi…
|
| I’ve been banging my head against a wall for a while with this one but
| making very little progress.
|
| In order to increase security I am attempting to run MySQL in a
| chrooted environment whenever I do so, I get the following error
|
|

Code:
[Error] Fatal error: Can’t change to user ‘mysqluser’ ; Please

check that the user exists!
| --------------------
|
|
| I am using:-
| Opensuse 11
| MySQL 5.0.51b (built from source)
|
| I have written a bash script to do the configuring, making,
| installing and copying to the chroot environment, it also creates the
| users and copies the passwd, shadow and group files into the chrooted
| environment and sets permissions. I could post the entire script if
| that would help.
|
| The chroot environment is at

Code:
/func/mysql
--------------------
I am logged in as root and the command I am using to start the server
is
Code:
--------------------
chroot /func/mysql /usr/local/mysql/libexec/mysqld --user=mysqluser
--------------------
the mysql build was configured with the
Code:
--------------------
–with-mysql-ldflags=-all-static
--------------------
option so should all be in one great big file (which it seems to be)
My chrooting process is based on one described on this site for
FreeBSD ‘Securing MySQL: step-by-step’
(http://www.securityfocus.com/infocus/1726) and I’m pretty certain I’ve
changed the correct bits.
Any suggestions as to why this is happening and possible fixes would be
greatly appreciated.:slight_smile:
Do I need to do anything with the passwd, group and shadow files in the
chroot environment?
Do I need any other files for these 3 to work?
Could AppArmor be getting in the way? (I’ve uninstalled it but nothing
seems to have changed)
Many thanks for any help (my head is getting sore!!!)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIl5jL3s42bA80+9kRAjjyAJ9V6QNOPVyf8n7ydDYYlhZyI0PQwQCfR5nS
OIMdfJuJM+oS6ltwZuUE6nw=
=K0Fo
-----END PGP SIGNATURE-----

3

Yes, it certainly does. Both ‘id’ and ‘getent passwd’ return mysqluser with various bits of information

When I run mysql outside of the chroot environment (ie where it originally installed to) it works fine. When I try to run the copy in a chrooted environment I get the user error described above.

I have copies of /etc/passwd, /etc/shadow and /etc/group inside the chroot. Do I need any other files to get mysql to recognise the users?

4

For security reasons, the standard SUSE installation of mysql is set up to run only from a Linux user and not from Linux root.

Even though you say you have downloaded and installed mysql yourself, it seems possible that OpenSUSE is recognising that you are trying to run in a Linux root environment and not allowing you to procede.

I don’t understand how you get greater security by running in a chroot environment. mysql already adds a second layer of security and the advice in info mysql focuses on making the best use of the security features of mysql.

Have you already implemented all those suggestions and are still not satisfied?

5

The idea of running in a chroot environment is to protect the rest of the system from any exploits that may be found in MySQL itself. Most of the security enhancements in MySQL are aimed at protecting MySQL from attacks from the outside world and have all been implemented already.

After a long night with strace I found the cause of the problem which is this:-

Despite being statically compiled, the program seems to require

/lib/ld-linux.so.2
/lib/libc.so.6
/lib/libnns_compat.so.2
/lib/libnss_files.so.2

Does anyone know what these files do? The web seems a bit lacking in descriptions of linux core libraries.
I will investigate the configure options to see if there is anything amiss, I was under the impression that

--with-mysqld-ldflags=-all-static

should have covered it

6

/lib/ld-linux.so.2

Dynamic loader, handles shared libraries.

/lib/libc.so.6

The C runtime library

/lib/libnss_compat.so.2

Handles service databases that use compat in /etc/nsswitch.conf.

/lib/libnss_files.so.2

Handles service databases that use file in /etc/nsswitch.conf