Using mod_chroot with MySQL?

MasterC · 05-30-2005, 07:58 PM

Hi!

I recently installed mod_chroot and after a bit of troubleshooting got it up and working. Now I am having problems running pages that request info from a mysql db. It seems (and makes sense) that apache cannot call above the new chroot directory, which would include making mysql calls.

Looking over any documentation, I see:

Quote:

If your mySQL/PostgreSQL accepts connections on a Unix socket which is outside of your chroot jail, reconfigure it to listen on a loopback address (127.0.0.1).

However, I need mysql on this server to be able to communicate with other servers on the local network, and am concerned that this will remove that ability.

Am I just nuts?

If not, does anyone have any suggestions?

Thanks!

Capt_Caveman · 06-01-2005, 11:36 PM

Kind of an ugly hack, but have you tried configuring mySQL to listen on 127.0.0.1 and then DNATing the incoming remote mySQL traffic to 127.0.0.1? It might work the other way around, but I've never tried rerouting a local Unix Socket like that and it might cause problems.

You could also try including the necessary networking libs into the chroot or using a second instance of mySQL, but I think both of those options are less than desirable.

MasterC · 06-02-2005, 12:47 PM

Thanks for the response!

I may try that, but have now realized I need other things that are also outside my chroot, such as connection with the IMAP service.

I am considering other options right now regarding securing apache as chroot really doesn't seem to be the most desirable for me ATM.

I'll plug through other threads, google and the linux security web refrences and see what I can find on locking it down without using chroot.

Thanks again!

Cool

hobbicik · 06-12-2005, 02:00 PM

Please note that documentation refers to mySQL listening on a local Unix socket (/tmp/mysql.sock, /var/run/mysql.sock etc). This socket probably won't be available inside chroot jail - that's why documentation suggests reconfiguring mySQL to listen on local INET socket (127.0.0.1). This way, the database is still available only from local machine, but works with mod_chroot.
If your mySQL is already configured to listen on external INET socket, mod_chroot won't break anything. You'll find your mySQL client to work flawlessly inside chroot jail (but please read the documentation on DNS lookups).

Marek Gutkowski