Sunday, January 17, 2016

Secure MySQL server with chroot environment

3:28 PM Posted by Dilli Raj Maharjan , 1 comment
Chrooted environments are known to enhance system and application security by providing them with a higher degree of isolation. The objective is to separate as much as possible from other executables and resources the runtime environment of an application so that if a hacker get access to MySQL database, the rest of the system is not compromised. This operation consists in creating separate set of filesystem directories (such as /etc, /tmp, /var/tmp, /usr, /dev, /proc etc) and copy a minimal number of binary and configuration files into this new directory tree. 
After setting the proper permissions on the new directories, the chrootuid utility is used to execute the application in the restricted environment. Again, whoever gains control on the application has only access to the /chroot directory tree, and many tools and services are not available in that environment.

Following are the steps required to setup MySQL chroot environment.


Check mysql status and it is better to stop MySQL service if it is not stopped.

sudo /etc/init.d/mysqld status







List the mysql packages and its version installed  

sudo rpm -qa mysql-server mysql-libs mysql







Download the rpm files of the packages installed. We have to download exact version of the package rpms

wget http://rpms.famillecollet.com/enterprise/6/remi/x86_64/mysql-5.5.47-1.el6.remi.x86_64.rpm
wget http://rpms.famillecollet.com/enterprise/6/remi/x86_64/mysql-libs-5.5.47-1.el6.remi.x86_64.rpm
wget http://rpms.famillecollet.com/enterprise/6/remi/x86_64/mysql-server-5.5.47-1.el6.remi.x86_64.rpm














Extract all the downloaded rpm files with the command below

rpm2cpio mysql-5.5.47-1.el6.remi.x86_64.rpm | cpio -idmv
rpm2cpio mysql-libs-5.5.47-1.el6.remi.x86_64.rpm | cpio -idmv
rpm2cpio mysql-server-5.5.47-1.el6.remi.x86_64.rpm | cpio -idmv










In our case we are using directory /opt/chroot/mysql as our new root and hosting MySQL from chrooted directory /opt/chroot/mysql so lets create required directories with root privileges.

sudo su -
mkdir -p /opt/chroot/mysql
cd /opt/chroot/mysql






List the extracted content and copy extracted directories to our chroot directory /opt/chroot/mysql

ls

sudo cp -r usr /opt/chroot/mysql/
sudo cp -r etc /opt/chroot/mysql/
sudo cp -r var /opt/chroot/mysql/











Login as user root and change directory to /opt/chroot/mysql and Create additional required directories.

sudo su -
cd /opt/chroot/mysql
mkdir -p bin dev lib lib64 proc sys tmp







Change the permission of /tmp accessible to everyone

chmod 777 /opt/chroot/mysql/tmp







Change ownership of required files to mysql user

chown mysql:mysql /opt/chroot/mysql/var/run/mysqld
chown mysql:mysql /opt/chroot/mysql/var/lib/mysql






Copy following library files to chrooted lib location /opt/chroot/mysql/lib, /opt/chroot/mysql/lib64

Follow the process below to copy these files.
Create /tmp/liblist file with the following contents
ld-linux-x86-64.so.2
libcrypto.so.10  
libgmp.so.3
libkrb5support.so.0   
libnss_dns-2.12.so  
libnss_nis-2.12.so
libpam_misc.so.0   
libresolv.so.2   
libz.so.1 
libacl.so.1
libcrypt.so.1  
libgssapi_krb5.so.2  
libkrb5support.so.0.1
libnss_dns.so.2  
libnss_nisplus-2.12.so  
libpam_misc.so.0.82.0
librt.so.1 
libattr.so.1  
libc.so.6  
libk5crypto.so.3
libm.so.6  
libnss_files-2.12.so   
libnss_nisplus.so.2
libpam.so.0  
libselinux.so.1 
libaudit.so.1  
libdl.so.2
libkeyutils.so.1  
libnsl.so.1  
libnss_files.so.2
libnss_nis.so.2  
libpam.so.0.82.2 
libssl.so.10 
libcap.so.2
libfreebl3.so    
libkrb5.so.3   
libnss_compat-2.12.so
libnss_hesiod-2.12.so  
libpamc.so.0   
libpcre.so.0
libstdc++.so.6 
libcom_err.so.2       
libgcc_s.so.1
libkrb5.so.3.3       
libnss_compat.so.2     
libnss_hesiod.so.2
libpamc.so.0.82.1       
libpthread.so.0        
libtinfo.so.5
libaio.so
libaio.so.1
libproc-3.2.8.so










Execute following command to copy file

find /lib/ | grep -if /tmp/liblist  | xargs -I {} cp {} /opt/chroot/mysql/lib/
find /usr/lib/ | grep -if /tmp/liblist  | xargs -I {} cp {} /opt/chroot/mysql/lib/
find /lib64/ | grep -if /tmp/liblist  | xargs -I {} cp {} /opt/chroot/mysql/lib64/
find /usr/lib64/ | grep -if /tmp/liblist  | xargs -I {} cp {} /opt/chroot/mysql/lib64/



Verify files are properly copied

cd /opt/chroot/mysql/lib64/
ls










Copy executables to bin directory

cp -a /bin/* /opt/chroot/mysql/bin/
cp -a /usr/bin/expr /opt/chroot/mysql/usr/bin/
cp -a /usr/bin/dirname /opt/chroot/mysql/usr/bin/
cp -a /usr/bin/nohup /opt/chroot/mysql/usr/bin/









Add following configuration in /etc/fstab

cat >> /etc/fstab
/sys            /opt/chroot/mysql/sys         none    bind      0      0
/proc           /opt/chroot/mysql/proc        none    bind      0      0
/dev            /opt/chroot/mysql/dev         none    bind      0      0









Execute mount -a command to mount bind.

mount -a






Create additional directory and copy required configuration files.

mkdir -p /home/chroot/etc/






 cp /etc/passwd /opt/chroot/mysql/etc/
cp /etc/group /opt/chroot/mysql/etc/
cp /etc/nsswitch.conf /home/chroot/etc/
cp /etc/localtime /home/chroot/etc/







Move existing my.cnf inside chroot directory to my.cnf.chroot file and copy running my.cnf there

mv /opt/chroot/mysql/etc/my.cnf /opt/chroot/mysql/etc/my.cnf.chroot
cp /etc/my.cnf /opt/chroot/mysql/etc







Make sure mysql is stopped before copying datafiles under the chrooted environment

/etc/init.d/mysqld status






Copy mysql data dir content to data directory 

cp -r /var/lib/mysql/* /opt/chroot/mysql/var/lib/mysql/
chown -R mysql:mysql /opt/chroot/mysql/var/lib/mysql






Execute chroot command to use newly configured root

chroot /opt/chroot/mysql 







Under new root execute following command to start mysql server manually

/usr/bin/mysqld_safe \
--datadir=/var/lib/mysql --socket=/var/run/mysqld/mysql.sock \
--pid-file=/var/run/mysqld/mysql.pid --basedir=/usr \
 --user=mysql > /dev/null 2>&1 &


















Check the log on newly configured root

tail -f /opt/chroot/mysql/var/log/mysqld.log 




Edit /etc/init.d/mysqld file outsize the chroot environment and add following configuration files  to MySQL startup file(/etc/init.d/mysqld) search for $exec --datadir on start block Originally it looks like below

Original:
        $exec   --datadir="$datadir" --socket="$socketfile" \
                --pid-file="$mypidfile" \
                $MYOPTIONS \
                --basedir=/usr --user=mysql >/dev/null 2>&1 &
safe_pid=$!
Make it something like below
# Added by Dilli For chroot
        /usr/sbin/chroot /opt/chroot/mysql \
        $exec   --datadir="$datadir" --socket="$socketfile" \
                --pid-file="$mypidfile" \
                $MYOPTIONS \
                --basedir=/usr --user=mysql >/dev/null 2>&1 &
        # Added by Dilli For chroot
        ln -s /opt/chroot/mysql/var/lib/mysql/mysql.sock $datadir/mysql.sock 2>/dev/null
        ln -s /opt/chroot/mysql/var/run/mysqld/mysqld.pid /var/run/mysqld/mysqld.pid 2>/dev/null
safe_pid=$!



Now we can start mysql with command below.

/etc/init.d/mysqld start




1 comment: