Package: mysql-server-4.1
Version: 4.1.10a-1
Severity: wishlist
I'm currently chrooting mysqld like described on
http://blog.blackdown.de/2005/03/04/chrooting-mysql-on-debian/
Setting up the chroot, among other stuff, requires this:
# for reading etc/passwd and etc/hosts
cp /lib/libnss_compat.so.2 lib
cp /lib/libnss_files.so.2 lib
# needed by Debian packages >= 4.1.10a
cp /lib/libc.so.6 lib
cp /lib/ld* lib
(libc.so.6 and ld* are needed because of the
--with-mysqld-ldflags=-all-static change. getpwnam/getpwuid in static
programs still require shared glibc libraries at runtimes.)
bind9 and apache/apache2 (with libapache-mod-chroot or
libapache-mod-security) both manage to change the user in the chroot
without the need for copying any libraries into the chroot.
It would be nice if mysqld's chroot function would work the same way.
After looking at src/mysqld.cc I think the only change required is to
do check_user() before set_root(). (Ie. lookup stuff in /etc/passwd
before doing chroot(2). That's the way it works in apache2 and bind9).
I'm not familiar with the call flow in src/mysqld.cc, so this change
is probably better implemented by somebody more competent.
Juergen
--
Juergen Kreileder, Blackdown Java-Linux Team
http://blog.blackdown.de/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
