[Wylug-help] Apache chroot'ed - MySQL socket?

Dan Walker danielwalker at fastmail.fm
Tue Aug 26 13:20:06 BST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 26 Aug 2003 12:03, James Holden wrote:
>> Dan Walker Wrote:
> >Mysql is fairly flexible - do a soft link from /var/www/var/run/mysql  to
> >/var/run/mysql.
> >
> >Having said that, I bet the OpenBSD crowd would favour chrooting MySQL as
> >well.
> >
> >I can't really comment on security here - I tend to only use OpenBSd as a
> >firewall.
> >
> >Dan
> >- --
>
> Ah ha.... soft link the directory. I tried soft linking the socket but
> it didn't work.
I'm only guessing - I'm fairly sure I've softlinked MySQL socket files on
Linux and it's worked. Or maybe that was a hard link.


> If I chroot MySQL into the same directory, it would leave the databases
> exposed to the www user.
>
> I nearly used FreeBSD rather than OpenBSD, but when weighing up
> stability vs security, the security aspect appealed more to me. Besides,
> OpenBSD should be just as stable.
True. Although FreeBSD is reputed to be the most efficient x86 OS around -
Open- and Net- obviously lose out a bit due to being rather more portable.
For a webserver I'd favour OpenBSD unless I was planning on using a SMP box,
but only because I know it better.

Dan

- --
Daniel Walker
'Physics is like sex; sure, it may occasionally give some
practical results, but that's not why we do it"
- - Richard Feynman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/S1B+C2kcpPIIs7gRAilxAJ987VMTKmwBjRPWPYScVs16AuipfACfUHP5
JM4B190+TiF3OIq+Yrfcg/I=
=7g+4
-----END PGP SIGNATURE-----





More information about the Wylug-help mailing list