On 1/10/2014 12:14, Reindl Harald wrote:
Am 10.01.2014 20:11, schrieb Warren Young:
I just tested here on an EL6 VM that didn't have mysql-server on it before:
# grep mysql /etc/shadow mysql:!!:16079::::::in the config file where the users shell is defined you may find more :-)
grep mysql /etc/passwd
You've misunderstood the point of that test. It is proof that John Doe's guess is right: the mysql user's account is locked (!!). This means that only way you can "log in as mysql" and thus make use of the /bin/bash setting is to first be root, then "su - mysql". You can't su to mysql from a non-root account since that would require a password.
That's why I guess this is a symptom of a wooly-headed change to the spec file, rather than some nefarious security breach.
By the way, vault.centos.org is back. Here's what we find in the spec file:
/usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /bin/bash \ -c "MySQL Server" -u 27 mysql >/dev/null 2>&1 || :
-
Warren Young