[Wylug-help] Apache chroot'ed - MySQL socket?

James Holden james at microcosmos.co.uk
Tue Aug 26 12:03:46 BST 2003


Dan Walker wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Tuesday 26 Aug 2003 09:51, James Holden wrote:
>
>
>>Morning all,
>>
>>UNIX guru advice needed please....
>>
>>I'm building an OpenBSD web server, and I have apache installed chrooted
>>to /var/www.
>>
>>I also want MySQL running on the machine, but my scripts can't see the
>>mysql socket in it's default location of /var/run/mysql.
>>
>>What's the best approach to this? I reconfigured Mysql to place it's
>>socket within the chroot jail that apache is running in , and it works
>>fine but is that the best way to do it? Are there security implications?
>>I could connect via TCP/IP through localhost, but that would have a
>>performance hit, wouldn't it?
>>
>>Can I specify two sockets for MySQL? I could put one in
>>/var/www/var/run/mysql and one in /var/run/mysql.
>>
>>
>Mysql is fairly flexible - do a soft link from /var/www/var/run/mysql  to
>/var/run/mysql.
>
>Having said that, I bet the OpenBSD crowd would favour chrooting MySQL as
>well.
>
>I can't really comment on security here - I tend to only use OpenBSd as a
>firewall.
>
>Dan
>- --
>
>
Ah ha.... soft link the directory. I tried soft linking the socket but
it didn't work.

If I chroot MySQL into the same directory, it would leave the databases
exposed to the www user.

I nearly used FreeBSD rather than OpenBSD, but when weighing up
stability vs security, the security aspect appealed more to me. Besides,
OpenBSD should be just as stable.

James






More information about the Wylug-help mailing list