Chrooted environments are known to enhance system and application security by providing them with a higher degree of isolation. The objective is to separate as much as possible from other executables and resources the runtime environment of an application so that if a hacker get access to MySQL database, the rest of the system is not compromised. This operation consists in creating separate set of filesystem directories (such as /etc, /tmp, /var/tmp, /usr, /dev, /proc etc) and copy a minimal number of binary and configuration files into this new directory tree.
After setting the proper permissions on the new directories, the chrootuid utility is used to execute the application in the restricted environment. Again, whoever gains control on the application has only access to the /chroot directory tree, and many tools and services are not available in that environment.
Following are the steps required to setup MySQL chroot environment.
Check mysql status and it is better to stop MySQL service if it is not stopped.
sudo /etc/init.d/mysqld status
List the mysql packages and its version installed
sudo rpm -qa mysql-server mysql-libs mysql
Download the rpm files of the packages installed. We have to download exact version of the package rpms
wget http://rpms.famillecollet.com/enterprise/6/remi/x86_64/mysql-5.5.47-1.el6.remi.x86_64.rpm
wget http://rpms.famillecollet.com/enterprise/6/remi/x86_64/mysql-libs-5.5.47-1.el6.remi.x86_64.rpm
wget http://rpms.famillecollet.com/enterprise/6/remi/x86_64/mysql-server-5.5.47-1.el6.remi.x86_64.rpm
Extract all the downloaded rpm files with the command below
rpm2cpio mysql-5.5.47-1.el6.remi.x86_64.rpm | cpio -idmv
rpm2cpio mysql-libs-5.5.47-1.el6.remi.x86_64.rpm | cpio -idmv
rpm2cpio mysql-server-5.5.47-1.el6.remi.x86_64.rpm | cpio -idmv
In our case we are using directory /opt/chroot/mysql as our new root and hosting MySQL from chrooted directory /opt/chroot/mysql so lets create required directories with root privileges.
sudo su -
mkdir -p /opt/chroot/mysql
cd /opt/chroot/mysql
List the extracted content and copy extracted directories to our chroot directory /opt/chroot/mysql
ls
sudo cp -r usr /opt/chroot/mysql/
sudo cp -r etc /opt/chroot/mysql/
sudo cp -r var /opt/chroot/mysql/
Login as user root and change directory to /opt/chroot/mysql and Create additional required directories.
sudo su -
cd /opt/chroot/mysql
mkdir -p bin dev lib lib64 proc sys tmp
Change the permission of /tmp accessible to everyone
chmod 777 /opt/chroot/mysql/tmp
Change ownership of required files to mysql user
chown mysql:mysql /opt/chroot/mysql/var/run/mysqld
chown mysql:mysql /opt/chroot/mysql/var/lib/mysql
Copy following library files to chrooted lib location /opt/chroot/mysql/lib, /opt/chroot/mysql/lib64
Follow the process below to copy these files.
Create /tmp/liblist file with the following contents
ld-linux-x86-64.so.2
libcrypto.so.10
libgmp.so.3
libkrb5support.so.0
libnss_dns-2.12.so
libnss_nis-2.12.so
libpam_misc.so.0
libresolv.so.2
libz.so.1
libacl.so.1
libcrypt.so.1
libgssapi_krb5.so.2
libkrb5support.so.0.1
libnss_dns.so.2
libnss_nisplus-2.12.so
libpam_misc.so.0.82.0
librt.so.1
libattr.so.1
libc.so.6
libk5crypto.so.3
libm.so.6
libnss_files-2.12.so
libnss_nisplus.so.2
libpam.so.0
libselinux.so.1
libaudit.so.1
libdl.so.2
libkeyutils.so.1
libnsl.so.1
libnss_files.so.2
libnss_nis.so.2
libpam.so.0.82.2
libssl.so.10
libcap.so.2
libfreebl3.so
libkrb5.so.3
libnss_compat-2.12.so
libnss_hesiod-2.12.so
libpamc.so.0
libpcre.so.0
libstdc++.so.6
libcom_err.so.2
libgcc_s.so.1
libkrb5.so.3.3
libnss_compat.so.2
libnss_hesiod.so.2
libpamc.so.0.82.1
libpthread.so.0
libtinfo.so.5
libaio.so
libaio.so.1
libproc-3.2.8.so
Execute following command to copy file
find /lib/ | grep -if /tmp/liblist | xargs -I {} cp {} /opt/chroot/mysql/lib/
find /usr/lib/ | grep -if /tmp/liblist | xargs -I {} cp {} /opt/chroot/mysql/lib/
find /lib64/ | grep -if /tmp/liblist | xargs -I {} cp {} /opt/chroot/mysql/lib64/
find /usr/lib64/ | grep -if /tmp/liblist | xargs -I {} cp {} /opt/chroot/mysql/lib64/
Verify files are properly copied
cd /opt/chroot/mysql/lib64/
ls
Copy executables to bin directory
cp -a /bin/* /opt/chroot/mysql/bin/
cp -a /usr/bin/expr /opt/chroot/mysql/usr/bin/
cp -a /usr/bin/dirname /opt/chroot/mysql/usr/bin/
cp -a /usr/bin/nohup /opt/chroot/mysql/usr/bin/
Add following configuration in /etc/fstab
cat >> /etc/fstab
/sys /opt/chroot/mysql/sys none bind 0 0
/proc /opt/chroot/mysql/proc none bind 0 0
/dev /opt/chroot/mysql/dev none bind 0 0
Execute mount -a command to mount bind.
mount -a
Create additional directory and copy required configuration files.
mkdir -p /home/chroot/etc/
cp /etc/passwd /opt/chroot/mysql/etc/
cp /etc/group /opt/chroot/mysql/etc/
cp /etc/nsswitch.conf /home/chroot/etc/
cp /etc/localtime /home/chroot/etc/
Move existing my.cnf inside chroot directory to my.cnf.chroot file and copy running my.cnf there
mv /opt/chroot/mysql/etc/my.cnf /opt/chroot/mysql/etc/my.cnf.chroot
cp /etc/my.cnf /opt/chroot/mysql/etc
Make sure mysql is stopped before copying datafiles under the chrooted environment
/etc/init.d/mysqld status
Copy mysql data dir content to data directory
cp -r /var/lib/mysql/* /opt/chroot/mysql/var/lib/mysql/
chown -R mysql:mysql /opt/chroot/mysql/var/lib/mysql
Execute chroot command to use newly configured root
chroot /opt/chroot/mysql
Under new root execute following command to start mysql server manually
/usr/bin/mysqld_safe \
--datadir=/var/lib/mysql --socket=/var/run/mysqld/mysql.sock \
--pid-file=/var/run/mysqld/mysql.pid --basedir=/usr \
--user=mysql > /dev/null 2>&1 &
Check the log on newly configured root
Edit /etc/init.d/mysqld file outsize the chroot environment and add following configuration files to MySQL startup file(/etc/init.d/mysqld) search for $exec --datadir on start block Originally it looks like below
Original:
$exec --datadir="$datadir" --socket="$socketfile" \
--pid-file="$mypidfile" \
$MYOPTIONS \
--basedir=/usr --user=mysql >/dev/null 2>&1 &
safe_pid=$!
Make it something like below
# Added by Dilli For chroot
/usr/sbin/chroot /opt/chroot/mysql \
$exec --datadir="$datadir" --socket="$socketfile" \
--pid-file="$mypidfile" \
$MYOPTIONS \
--basedir=/usr --user=mysql >/dev/null 2>&1 &
# Added by Dilli For chroot
ln -s /opt/chroot/mysql/var/lib/mysql/mysql.sock $datadir/mysql.sock 2>/dev/null
ln -s /opt/chroot/mysql/var/run/mysqld/mysqld.pid /var/run/mysqld/mysqld.pid 2>/dev/null
safe_pid=$!
Now we can start mysql with command below.
/etc/init.d/mysqld start
Thanks
ReplyDelete