Hello,
Default MySQL installation on CentOS sets /bin/bash as shell. I'm on a user cleanup task where I want reduce unneeded privileges to users.
What is the "mysql" user shell for? (What will happen if I change it to /bin/false or whatever would disable it's shell?)
It's not only a matter of SSH (I'm aware I can AllowUsers in sshd_config for example).
From: Mihamina Rakotomandimby mihamina@rktmb.org
Default MySQL installation on CentOS sets /bin/bash as shell. I'm on a user cleanup task where I want reduce unneeded privileges to users.
Its password should be locked. So you cannot login as mysql but you can "su - mysql" or run scripts as mysql. I do not know if any of the "standard" tools needs a shell though.
JD
On 1/9/2014 03:50, John Doe wrote:
Default MySQL installation on CentOS sets /bin/bash as shell. I'm on a user cleanup task where I want reduce unneeded privileges to users.
Its password should be locked.
I just tested here on an EL6 VM that didn't have mysql-server on it before:
# grep mysql /etc/shadow mysql:!!:16079::::::
I tried to investigate further by taking a look at the mysql-server spec file, but apparently CentOS doesn't ship with a source repo configured:
$ yumdownloader --source mysql-server ....noise noise noise.... No source RPM found for mysql-server-5.1.71-1.el6.i686
I looked in CentOS-Base.repo, and don't see one I can enable.
Also, connections to vault.centos.org are timing out right now, so I can't build a .repo file entry by hand.
So, lacking real information, I will make a wild guess as to why this happened: someone got lazy modifying an adduser/useradd command in the mysql.spec file.
Can you not set up a test system and try it out? Or, if this is your only system, could you not back it up, and test your suggestions out?
The mysql "shell" is for viewing data in your databases and manipulating the data in required. You can also add tables and things like that. It is a powerful tool if you know what you are doing.
Cheers,
Cliff
On Thu, Jan 9, 2014 at 10:27 PM, Mihamina Rakotomandimby <mihamina@rktmb.org
wrote:
Hello,
Default MySQL installation on CentOS sets /bin/bash as shell. I'm on a user cleanup task where I want reduce unneeded privileges to users.
What is the "mysql" user shell for? (What will happen if I change it to /bin/false or whatever would disable it's shell?)
It's not only a matter of SSH (I'm aware I can AllowUsers in sshd_config for example). _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 01/10/2014 02:25 AM, Cliff Pratt wrote:
Can you not set up a test system and try it out? Or, if this is your only system, could you not back it up, and test your suggestions out?
I dont have enough unit test in mind to assume it's safe.
The mysql "shell" is for viewing data in your databases and manipulating the data in required. You can also add tables and things like that. It is a powerful tool if you know what you are doing.
I might confuse you. I'm not talking about the "mysql>" prompt. I know what it is for. I'm talking about: # grep mysql /etc/passwd mysql:x:498:498:MySQL server:/var/lib/mysql:/bin/bash ^^^^^^^^^ this -|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mihamina Rakotomandimby said the following on 09/01/2014 10:27:
Default MySQL installation on CentOS sets /bin/bash as shell.
I checked in my CentOS 6 installations.
Only one (the latest) has this issue, so it could be something added/modified in the lastest months.
Other installations starting from June 2013 (included) does NOT have this issue and the shell of mysql user is /sbin/nologin
Ciao, luigi
- -- / +--[Luigi Rosa]-- \
A committee is a life form with six or more legs and no brain.
On 1/10/2014 00:40, Luigi Rosa wrote:
I checked in my CentOS 6 installations.
Only one (the latest) has this issue, so it could be something added/modified in the lastest months.
I don't see how that can be. I've checked the spec file in the mysql.src.rpm for every 6.x point release from 6.0 through 6.5, and they *all* have this command:
/usr/sbin/useradd -M -o -r -d /var/lib/mysql -s /bin/bash \ -c "MySQL Server" -u 27 mysql > /dev/null 2>&1 || :
Actually, later versions add "-N -g mysql" to this, which as far as I can tell is basically pointless. It tells useradd to do exactly what it would have done by default anyway. It should have no bearing on this issue.
Other installations starting from June 2013 (included) does NOT have this issue and the shell of mysql user is /sbin/nologin
I have one from March 2013, and it *does* have /bin/bash as user mysql's shell.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Warren Young said the following on 10/01/2014 21:41:
I have one from March 2013, and it *does* have /bin/bash as user mysql's shell.
The June 2013 installation with /sbin/nologin COULD have been installed with a old DVD (say CentOS 6.2) and updated via Internet (I really don't remember). It's my home server, I rebuilt it last summer.
The latest with /bin/bash is a CentOS VM hostd at www.cloudatcost.com
Nearly on the same period I created a VM at Hetzner.de, and it has /sbin/nologin
The funy thing is that both cloudatcost.com and hetzner.de are two VMs provided with the "Minimal" installation and I installed mysql-server package from the repositories. I am not sure if I chsh-ed the mysql account
Anyway, why assign an interactive shell to mysql???
Ciao, luigi
- -- / +--[Luigi Rosa]-- \
The world is coming to an end... SAVE YOUR BUFFERS!!!
-
Cliff Pratt -
John Doe -
Luigi Rosa -
Mihamina Rakotomandimby -
Warren Young