hi juergen, On Sun, Mar 13, 2005 at 03:25:40AM +0100, Juergen Kreileder wrote: > I'm currently chrooting mysqld like described on > http://blog.blackdown.de/2005/03/04/chrooting-mysql-on-debian/
wow, within 24 hours of an update there's already somebody providing
docs for it!
> # for reading etc/passwd and etc/hosts
> cp /lib/libnss_compat.so.2 lib
> cp /lib/libnss_files.so.2 lib
> # needed by Debian packages >= 4.1.10a
> cp /lib/libc.so.6 lib
> cp /lib/ld* lib
>
> (libc.so.6 and ld* are needed because of the
> --with-mysqld-ldflags=-all-static change. getpwnam/getpwuid in static
> programs still require shared glibc libraries at runtimes.)
fyi, we've disabled the --with-mysqld-ldflags=-all-static option in the
latest version, because it was causing crashes on some systems and
probably a bad liability in the long run anyways.
> bind9 and apache/apache2 (with libapache-mod-chroot or
> libapache-mod-security) both manage to change the user in the chroot
> without the need for copying any libraries into the chroot.
>
> It would be nice if mysqld's chroot function would work the same way.
>
> After looking at src/mysqld.cc I think the only change required is to
> do check_user() before set_root(). (Ie. lookup stuff in /etc/passwd
> before doing chroot(2). That's the way it works in apache2 and bind9).
>
> I'm not familiar with the call flow in src/mysqld.cc, so this change
> is probably better implemented by somebody more competent.
that wouldn't be me either... christian? :)
sean
--
signature.asc
Description: Digital signature
