Ubuntu
mysql-dfsg-5.1 package

mysql-server-5.1 can't chroot

Bug #434915 reported by Ervin Hegedüs
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-dfsg-5.1 (Ubuntu)
Won't Fix
Low
Jamie Strandboge

Bug Description

Package: mysql-server-5.1
Release: Karmic alpha-6 (up-to-date @ bugreport)
Version: 5.1.37-1ubuntu4

Hello,

I have installed a LAMP server when installed the base system. Usually I use mysql in chroot-ed environment, here is a good howto:
http://blog.blackdown.de/2006/12/30/chrooting-recent-mysql-versions-on-debian-and-ubuntu/

When I started the mysql, in logs there are these messages:
... mysqld: 090922 15:47:43 [ERROR] chroot: Operation not permitted
... mysqld: 090922 15:47:43 [ERROR] Aborting

Since Jaunty, when mysql runs in chroot, there must modify the apparmor config (enable sys_chroot cap, and accesing many files - it passed).
Then were:
... mysqld: 090922 15:57:40 [ERROR] Fatal error: Can't change to run as user 'mysql' ; Please check that the user exists!
... mysqld:
... mysqld: 090922 15:57:40 [ERROR] Aborting
... mysqld:

Okay, I changed running user from mysql to root - mysql started in chroot. It's not a good idea to run as root, I rejected this chance.

I moved usr.sbin.mysqld from apparmor directory, then mysql started in chroot, but it wanted to use /var/log/mysql/mysql.log instead of $CHROOT/var/log/mysql/mysql.log.
(In /proc/pid_of_mysql/root contains only the restricted chroot, which I've set up, so mysql ran in chroot it sure)

I downgraded to mysql-server-5.0, and now mysql runs perfectly in chroot with user mysql.

Ervin Hegedüs (airween)
affects: ubuntu → mysql-dfsg-5.1 (Ubuntu)
Revision history for this message
Mathias Gug (mathiaz) wrote :

Thank you for taking the time to report this issue and helping to make Ubuntu better. We appreciate the difficulties you are facing - why are you running mysqld in a chroot?

Changed in mysql-dfsg-5.1 (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Ervin Hegedüs (airween) wrote : Re: [Bug 434915] Re: mysql-server-5.1 can't chroot

Dear Mathias,

> Thank you for taking the time to report this issue and helping to make
> Ubuntu better. We appreciate the difficulties you are facing - why are
> you running mysqld in a chroot?

may be I don't understand your question "why are you running mysqld in
a chroot"...

There are several answer to this question, everybody can choice a good
ideology :)
My choice is more security, since few years ago I didn't install mysql
(and many other netservice) without chroot - I would like to use that
in the future.

Thanks:

a.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Running a process confined and chrooting are typically two different, mutually-exclusive solutions to the same problem.

The apparmor profile contains mysqld in a similar way that the traditional chrooting does. There is no reason to chroot mysqld on Ubuntu if you are using the AppArmor profile. The reason why the profile was developed was so that all mysqld users would benefit from the enhanced security of running mysqld under confinement, and not require users to have to diverge from the standard installation and use chroot.

Users are welcome to use traditional chrooting if they prefer, and need only disable the apparmor profile by performing:
$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
$ ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/usr.sbin.mysqld

The first unloads the profile from the kernel, and the second disables the profile on boot.

Changed in mysql-dfsg-5.1 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Incomplete → Won't Fix
Revision history for this message
Ervin Hegedüs (airween) wrote :

hmmm, sorry for my incomprehension, but I don't understand why MySQL 5.0 works with apparmor in chroot, and MySQL 5.1 does not?
Only this is my problem, everything else is clear for me.

Thank you:

a.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.