MySQL, to chroot jail or not?

I didn't know that it was ever considered to be worth it. This is not a common practice, even in large firms I am not aware of anyone doing this. I saw not worth it.

Hey Guys,
We're moving to a new host for our VPS and it's a different OS, (Ubuntu, we're coming from CentOS).
On our previous server we chroot jailed mysqld. but now I've been doing some research and there's a bunch of people out there that say it's not even worth it to do it anymore.
Do you guys think this is true? Should I waste my time setting up the chroot jail? or should I just install it like any other application on the server base?
This topic first appeared in the Spiceworks Community

Similar Messages

About chroot jails and ACL

I want to run rtorrent in a chroot jail. Correct me if wrong, but jailing rtorrent would consume much more RAM cause rtorrent will not use libraries that it needs and may be already in memory.
So I wonder, why people just don't create a new user, install ACL, block everything to that user but read access to /lib and some config files, and execute permission to only the needed binaries. It would be easy to do since as I understand if you block all /bin permissions to the restricted user, all future files there will inherit those permissions. The only problem I see is that if you update, you will have to set some permissions again, easily fixed with a script. ACL seems much more easier to setup than chroot jails!
When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
So, why is it that people seem to prefer chroot jails? Does installing ACL has some kind of performance penalty?

_Mike_ wrote:Does installing ACL has some kind of performance penalty?
Do you mean Mandatory Access Control? Filesystem ACL is already installed on every Linux system.
When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
Chroot jails were not created to be used as a security tool and are very easy to break out of. Filesystem ACL is very limited in scope and also provides little security.
You might want to look into using Mandatory Access Control (MAC) which is available with TOMOYO Linux, AppArmor, SELinux or SMACK. SELinux is the most powerful, but will take a long time to master. TOMOYO Linux is easier to use and the relevant packages are already in [community]. See the wiki page for more information.
All MAC implementations have a small degree of performance penalty. SELinux probably has the greatest penalty, but overall you probably won't notice anything with any of the implementations.
Last edited by jnguyen (2011-04-13 06:48:36)

Chroot jail in FTP?

I asked this question about two years back, but I'm hoping there's an
answer now...
Is there a way to lock ftp clients into their home directory, so that
cannot go back a directory level? Essentially their home directory is
their root directory.
Previously using linux ftp servers, you could do this with an option
called 'chroot jail', but I'm not seeming the same feature on the
Netware ftp.
Is there a way to do this? I'm running NW 6.5sp6.
Thanks!
Matt

Did you check the date of the TID though ? <g>, I'm surprised no one
pointed it out last time you asked
Cheers Dave
Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/

SFTP only access in chrooted jail?

Hi
I'm trying to make it so a user only has sftp access in a chrooted jail.
I've tried following a couple walkthroughs with no success
http://www.macresearch.org/restricted-sftp-mac-os-x-leopard
http://www.debian-administration.org/articles/590
This is 10.6.2 Server.
I created my user and ran the following steps as root.
chmod g-w /
chmod g-w /Volumes/HD
chown root /Volumes/HD
mkdir /Volumes/HD/user_dir
chown user /Volumes/HD/user_dir
chmod 700 /Volumes/HD/user_dir
I've added this to my sshd.config file:
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp
Match User user
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /Volumes/HD
ForceCommand internal-sftp
Here is what I get when I try to ssh or sftp:
sftp user@localhost
Connecting to localhost...
Password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
Connection closed
Any helps is greatly appreciated.
Thanks.

hmmm strange. think i figured it out.
finall went with
Subsystem sftp internal-sftp
Match User user
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /chroot
ForceCommand internal-sftp
create a new dir chroot and another dir inside it.
the Chroot must be own by root and groups or other cannot have write access to any of it.
the dir i created inside chroot is chmod 700 and owned by my user.
it looks like because ChrootDirectory must have the directory own by root and unwritable by others, you can't direct your user directly to their locked down dir. they must sftp in to chroot then cd to their folder.
not sure how to get around this.

/dev/random and chroot jail

I have a BIND configuration in a chroot jail - Solaris 10, u8, SPARC. I need to create a /dev/random device in the jail to go along with the other devices that already exist in the jail (such as /jail/dev/null, etc). The man page for mknod says "With the advent of physical device naming, it would be preferable to create a symbolic link to the physical name of the device (in the /devices subtree) rather than using mknod." Creating a link to the actual device in /devices however would entail a link that leaves the jail, and I always thought any link leaving the jail is not secure. Any thoughts on this? Should I use the link as suggested by the man page or use the mknod command within the jail and create the device there?

I have a BIND configuration in a chroot jail - Solaris 10, u8, SPARC. I need to create a /dev/random device in the jail to go along with the other devices that already exist in the jail (such as /jail/dev/null, etc). The man page for mknod says "With the advent of physical device naming, it would be preferable to create a symbolic link to the physical name of the device (in the /devices subtree) rather than using mknod." Creating a link to the actual device in /devices however would entail a link that leaves the jail, and I always thought any link leaving the jail is not secure. Any thoughts on this? Should I use the link as suggested by the man page or use the mknod command within the jail and create the device there?

[solved] nginx chroot jail: open() "/run/nginx.pid" Permission denied

I used the perl script from the nginx wiki to configure chroot jail and also configured the nginx systemd unit file. When I try to start the service I get
# systemctl start nginx
Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
# systemctl status nginx.service
nginx.service - A high performance web server and a reverse proxy server in chroot jail
Loaded: loaded (/etc/systemd/system/nginx.service; enabled)
Active: failed (Result: exit-code) since tis 2013-05-07 20:58:49 CEST; 4s ago
Process: 418 ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g pid /run/nginx.pid; daemon on; master_process on; (code=exited
, status=1/FAILURE)
Executing the ExecStartPre line produces the open error.
# /usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
nginx: [emerg] open() "/run/nginx.pid" failed (13: Permission denied)
What could be causing this?
Here's my nginx.service
# cat /etc/systemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server in chroot jail
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/srv/http/run/nginx.pid
ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecStart=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecReload=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
ExecStop=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit
[Install]
WantedBy=multi-user.target
/srv/http/run
# ls -ahl /srv/http/run/
totalt 8,0K
drwxr-xr-x 2 root root 4,0K 7 maj 20.53 ./
dr-x--x--x 9 root root 4,0K 7 maj 20.16 ../
-rw-r--r-- 1 root root 0 7 maj 20.53 nginx.pid
edit:
# chroot --userspec http:http /srv/http /usr/sbin/nginx
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
I tried to change the port to 8080 and got
# chroot --userspec http:http /srv/http /usr/sbin/nginx
nginx: [emerg] open("/dev/null") failed (13: Permission denied)
solution:
The problem was due to the partition being mounted nodev,nosuid.
Last edited by seron (2013-05-08 11:25:12)

I know this post is quite old but I wanted to say thank you to the author that you posted this solution. THANKS!!!

Chroot-jail password problem

I've got a running chroot-jail to allow semi-trusted users ssh-access to my webhosting server. The problem is that they can't change their passwords because `passwd` can't access files outside the chroot-jail (as it's suppose to be). I've read about someone solving this using nsswitch.conf and some sort of setup to make it possible for the users to change their passwords.
The question is basically, how do I get around this problem, making it possible for the logged in users to change their own password?

Oh what a tangled web we weave. I read up on keychain and I don't understand what I'm reading. Right now I cannot download my email on my computer, I can access it through the cloud. I'm sure it will be the same for the other iCloud feathers. When I go to preferences and select iCloud when ever I try to sign in I get some dialog box it shows up "A keychain cannot be found to store 1076701306. It doesn't matter whether I reset it or cancel it out iCloud preferences remains grayed out.
In keychain access on the left side under keychains and Read's local item, systems, and systems roots.
When I select local items nothing shows up to the right under the name column even when down under all items is selected nothing shows up. And nothing shows up to the right when under categories I selected the other options password etc. On the other hand when I select under keychains systems, systems roots I do get items to show up on the right side under names under all items, passwords, etc. Where do I start?

MySQL System DSN: Host is not allowed to connect to this MySQL Server

Hi all,
I'm creating a FileMaker database to keep track of support and to-do items, for a large forum-site I'm managing here in Denmark.
The site runs on our webhosts servers, but I have a MacMini server we use for development. I'd like to connect the MacMini's MySQL server to FileMaker, and have purchased Actuals ODBC pack witch works great. I can connect to the MySQL server on the MacMini via Navicat, by enabling an SHH Tunnel.
When trying to create a System DSN via the Actual ODBC drivers, to connect to the MacMini, I get this error:
Link to screenshot: http://img.skitch.com/20100104-82xe6j7x9b8cjmj357t33p9sb1.png
The one very strange thing is, that the Mac I'm trying to connect from, is at 192.168.1.15 and not 10.0.0.5! The MacMini is at 10.0.0.2 so it makes no sense what so ever, and as I said, I can connect fine to 10.0.0.2 via Navicat, even though it only works when I enable SSH Tunneling.
But of course the Actual ODBC (or any for that matter?!) drivers does not support creating an SSH Tunnel, so I need to be able to connect directly to the MacMini's SQL-server, but when I try I get the above error.
Port 3306 IS open on the server, so I must be overlooking something obvious. I've tried to change the socket when setting up the System DSN to /var/mysql/mysql.sock or /var/mysql but that changes nothing.Ohh yeah, that is ignored for remote servers by the way!
Can anyone help? How do you guys setup your System DSN to a Mac-server with Snow Leopard Server on it?
Thank you so much in advance
Thomas
PS: I can connect fine to our Webhosts MySQL server with the Actual Drivers, but to decrease load on that server, I'd like to get the data for the FileMaker Support Database from our development-server instead!

bump
Anyone got an idea on this? If I've posted in the wrong forum, please advise, because I was a little in doubt as to where this was to be placed

Java mysql OK with Terminal but not OK with Apache local web server

With terminal I have :
CLASSPATH=/System/Library/Frameworks/JavaVM.framework/Versions/1.4.2/Classes/:/Library/Java/Extensions/:./
SUDO_GID=20
SECURITYSESSIONID=210800
_=/usr/bin/printenv
127:/Library/WebServer/Documents/Java root# java TestMySQL
2006-05-21 13:39:00.0 ************************************************** = OK
127:/Library/WebServer/Documents/Java root#
import java.sql.*;
* mysql-connector-java-3.1.12-bin.jar
*   % javac /Library/WebServer/Documents/Java/TestMySQL.java
*   % java TestMySQL
public class TestMySQL {
        public static void main(String argv[]) throws Exception {
                // Load the driver class
                Class.forName("org.gjt.mm.mysql.Driver");
1                //Class theClass = null;
2               //try {
3                //    theClass = Thread.currentThread().getContextClassLoader().loadClass("org.gjt.mm.mysql.Driver");
4                //}
5                //catch (ClassNotFoundException e) {
6                //    theClass = getClass().getClassLoader().loadClass("org.gjt.mm.mysql.Driver");
7                //}
                Connection conn = DriverManager.getConnection(
                        "jdbc:mysql:///test",
                Statement stmt = conn.createStatement();
                ResultSet rset = stmt.executeQuery("SELECT now();");
                while (rset.next()) {
                        System.out.println(rset.getString(1));
                // Close result set, statement and DB connection
                rset.close();
                stmt.close();
                conn.close();
}I have a simple TestMySQL.html file with applet TestMySQL.class in it.
Nothing but "Applet TestMySQL not inited"
When I uncomment the try/catch lines (lines 1 to 7) , java compiler generate an error... near getClass().getClassLoader().loadClass("org.gjt.mm.mysql.Driver");
With "Class.forName("org.gjt.mm.mysql.Driver");" no problem.
Running MacOS X 10.3.9, Apache/1.3.33 (Darwin) PHP/4.4.1 mod_ssl/2.8.24 OpenSSL/0.9.7i and JVM 1.4.2_09
Thanks for help.
P.S. This my first approach to java/mysql but I would like to see this short program running on my local web server ...
Thanks.

hi :-)
can you post the stack trace?
im not sure what is causing the error because of less info,
but have you tried to copy the driver of mysql to tomcat lib folder?
regards,

Inserting Into MYSQL Table Via Air/PHP = Not Allowed?

I'm having trouble inserting data into my mysql database tables through my air app. All the code is pretty much exactly the same as in some examples I've seen but it simply won't do it. Is this because of some sort of security restriction because the air app is on my machine and the server with my mysql database on is elsehwhere? Or is it possible to insert data via an air app?
Here is the example I've been following:-
http://livedocs.adobe.com/flex/3/html/help.html?content=data_access_2.html

jimmyoneshot wrote:
Thanks for the answers boys. I've decided I'm going to change it into a flex app instead as then there won't be any problems. It simply means I'll have to add a logon system to it.
While were on the subject do you guys happen to know of any examples anywhere of how someone can REMOVE data from an sql table via flex/php?
What I'm looking for is basically when a user uses my app and enters info into some text inputs, if that specfic info exists within a table then that data will be removed from the table. The way this works is that they will choose an item within a tilelist which is populated by the data from this mysql table and this will insert the data of the selected item into the text inputs and then they click a remove button to remove that item. Can't find anything similar anywhere though.
You will have to use a common identifier, eg:
give each row in your database an ID.
then pass that ID value on the button press to a PHP script, which does something like:
$deleteID = $_POST["delID"];
mysql_query("DELETE FROM exampleTable WHERE ID='$deleteID
maybe check that a row with that ID exists first for verification, then pass back a value indicating if removal was a success or not.
You can delete on other values, but remember they have to be unique for the database, else you'll run the risk of deleting multiple values.
Or you could delete on a compound key, depends on the data you're storing in the grid.

Tiger Server: Default MySQL works for phpMyAdmin but not command line ? ? ?

Greetings all,
I followed the excellent instructions at
http://discussions.apple.com/thread.jspa?threadID=132783&tstart=0
on upgrading PHP to version 5 and getting (the preinstalled) MySQL setup with phpMyAdmin
I can connect through the phpMyAdmin, create new dbs, etc. Problem is that now I CAN'T connect from the command line. (I originally set my new root password from the command line and that's the last time I could connect from there!
Now I get the dreaded ERROR 2002 when I attempt:
/usr/bin/mysql -h localhost -u root -p
If I use the IP address or hostname instead of "localhost" (after -h) I get a ERROR 2003. Dropping the -h and hostname from the line above still gets me a ERROR 2002.
My phpMyAdmin config is a connect type "TCP" not socket, which might be one reason it works and the command line doesn't, but I still don't know where I've gone wrong.
My /var/mysql/* is all owned by mysql and group www.
I'm finding lots of people asking about the ERROR 2002, but not finding any solutions (particularly for Tiger Server). I'd prefer to use the preinstalled MySQL to installing a new installation (the thread referenced above says upgrading or removing the MySQL installation is too hard to do) and there has GOT to be a reasonable explanation for why it works with phpMyAdmin, but not the command line.
Thanks in advance for any replies!
Many Mac OS X (10.4.3)

You know what? I think when I started mysql_safe, I did it with sudo. Maybe that is my problem?
If so, what user do I want to start it as? I've seen one suggestion of doing this:
./bin/mysqld_safe --user=mysql &

Mysql in chroot possible on Leopard?

Has anyone successfully installed mysql from fink into a chroot on OSX? If so, how? The reason I ask is, I want to be able to accidentally wreck the mysql installation and simply wipe the chroot dir to start over from scratch if I want to. If there is a better way to do this, I'm open to suggestions.
As it is now, I installed mysql from fink and received and error message that lead me discover mysql.sock was never created. I wanted to uninstall mysql and run the installation proceess again, however, now there are mysql files all over the place and I can't figure out how to uninstall it. I tried dselect and "sudo fink remove mysql", neither of which appeared to work. If anyone could help me clean mysql from Leopard ( beyond "rm /sw/bin/mysql*" ), as well, that would be appreciated.
Thank you.

1. I can't find the hidden file .profile - I have already used TextWrangler to browse though my folders and I still couldn't find it.
It's entirely possible, and valid, for there to be no ~/.profile.
If that's the case, just create it.
2. No Terminal command mentioned in the file seems to work. All of them return error messages.
Can you give an example, including the error message. The error message will go a long way to explaining why it didn't work.

Chroot + ls /* does not work

I'm trying to "chroot" the ls command
I've got the following structure
/home
/myDirectory
/dir1
/file1
/dir2
/file2
/bin
/lib
/etc
When I launch the following command (to get the full pathe of the directory):
# chroot /home /bin/ls -d /myDirectory/*/file1
I get the following error : chroot: No match. I can't even 'truss' it. Is there a conf-file in which the wildcard '*' is defined and that I need to add in my 'chrooted' environment ?

karol wrote:
No idea why you have 2 slashed:
/usr/bin/vendor_perl//ls++
Does it work in other terminals?
Did you relogin after installing?
Is your system up to date?
not work in other terminal
yes
yes
Kaustic wrote:
More than two slashes are always truncated to one internally:
ls -l /////////////bin////bash
-rwxr-xr-x 1 root root 721K Jun 1 01:10 /////////bin///bash*
http://unix.stackexchange.com/questions … rname-file
I love all these little historical nuances in the history of UNIX ♥
so I had to follow the link above?

MySQL error on localhost, but not remote!!

I am getting an error of:
Warning: mysql_free_result() expects parameter 1 to be resource, null given in /Users.... line 848
But I am only getting this on my dev machine. It doesn't show on the remote site. I have taken the remote DB and put it inplace of my local one just in case I had inadvertantly deleted something, but still no joy.
I have closed the recordset using:
mysql_free_result($rs_reg_domain);
But have had to use the following to hide the error:
//if (is_resource($rs_reg_domain)) mysql_free_result($rs_reg_domain);
and finally this is the recordset:
mysql_select_db($database_conn_mrs, $conn_mrs);
$query_rs_domain = "SELECT * FROM tbl_settings WHERE fld_settingsNAME = 'domain'";
$rs_domain = mysql_query($query_rs_domain, $conn_mrs) or die(mysql_error());
$row_rs_domain = mysql_fetch_assoc($rs_domain);
$totalRows_rs_domain = mysql_num_rows($rs_domain);
'domain' has a value.
What's wrong?
Thanks

The reason you get an error locally, but not on the remote server is almost certainly because the remote server has the PHP display_errors configuration setting turned off. The error still occurs, but it's not displayed. Most hosting companies turn off the display of errors for security reasons.
Looking at the code you have given here, it looks as though the error is caused by using the wrong variable name for the recordset. The recordset is $rs_domain, but you're passing $rs_reg_domain to mysql_free_result().

MySQL data source/JNDI name not found

Hi,
I created a JDBC data source (MySQLDS) and a connection pool through AppServer 7's Admin Console but my local entity bean couldn't find it. It thrown a NameNotFoundException. I have the following descriptor in the sun-ejb-jar.xml
<ejb>
<ejb-name>ServiceCatalogBean1</ejb-name>
<jndi-name>ejb/ServiceCatalogBean1</jndi-name>
<resource-ref>
<res-ref-name>jdbc/MapServiceDS</res-ref-name>
<jndi-name>MySQLDS</jndi-name>
</resource-ref>
</ejb>
Any advice will be highly appreciated.
thanks in advance
Frank
More info, I m using JDBC driver of mm.mysql-2.0.4 and have no problem running with WebLogic 7

Hi,
Can you post the relevant <jdbc-resource> element in server.xml? Also, your res-ref in ejb xml?
Thanks.
-Tuan.

MySQL, to chroot jail or not?

Similar Messages

Maybe you are looking for