On Mon, 19 Jun 2006 13:09:20 +0200 knitti <[EMAIL PROTECTED]> wrote: > On 6/19/06, Lars Hansson <[EMAIL PROTECTED]> wrote: > > On Monday 19 June 2006 18:12, Martynas Venckus wrote: > > > I want to chroot mysql. So i chrooted it in /var/mysql (mysqld --chroot), > > > but web applications could access mysql server only by network, which is > > > not the most secure and fast way. > > > > What's not secure about binding to localhost only? > > protocol attacks on the application which talks to mysql? > if you use some php stuff (any php sutff ;) and talk to mysql, you can > manipulate the db by sql injection. if _then_ mysql has e.g. a hole > which allows it to be manipulated or broken out into a shell, a chroot > would help al lot ;) > > --knitti >
SQL injection is unrelated to the way mySQL is accessed or to the fact that it runs chrooted. A badly written PHP application may cause SQL injection attacks to be possible even with a chrooted mySQL server. Not to mention that a script may also open a Unix socket just as it could connect to the tcp socket, and it is very doubtful that an issue would affect the tiny portion of code that does the handling of connections. -- veins
