CAcert System Admins discussion list

[Jan Dittberner <jandd AT cacert.org>]

On Sun, Jan 17, 2010 at 05:55:56PM +0100, Wytze van der Raay wrote:
> Hi Ted,
> 
> On 01/11/2010 08:27 PM, Bernhard Fröhlich wrote:
> > ...
> > The bigger problem was that the php scripts could not contact the mysql
> > database. Jan's (probably correct) opinion was that the chrooted apache
> > process coult not access the mysql socket at
> > /var/run/mysqld/mysqld.sock. So with some trial and error I replaced all
> > references to /var/run/mysqld with /chroot/var/run/mysqld in
> > /etc/mysqld/my.cnf and /etc/mysqld/debian.cnf.
> > Then the mysql user did not have write access to /chroot/var/run/mysqld
> > which probably prevented the creation of the socket. Therfore I chowned
> > /chroot/var/run/mysqld to mysql.
> 
> All these steps should not ne necessary as far as I know, at least on the
> production server we do not do this. The mysqld.sock is not needed for
> php access to the database from the chroot'ed apache, and in fact it
> should not even exist in the chroot environment for security reasons.
> The communication between apache/php and mysqld takes place via a TCP
> connection to localhost:3306; note thatnetworking is not restricted by
> chroot (for good or for worse).

At least recent mysql php drivers try to access the socket if the connection
string contains localhost or 127.0.0.1 without a port. I don't know the exact
configuration off test1's php applications but I experienced this behaviour in
a recent php project at work.

Regards
Jan

-- 
Jan Dittberner - CAcert Infrastructure Team
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
http://www.dittberner.info/

Attachment: smime.p7s
Description: S/MIME cryptographic signature