[CentOS] Why does 'mysql' user has /bin/bash shell?

Fri Jan 10 19:51:15 UTC 2014
Warren Young <warren at etr-usa.com>

On 1/10/2014 12:14, Reindl Harald wrote:
>
> Am 10.01.2014 20:11, schrieb Warren Young:
>>
>> I just tested here on an EL6 VM that didn't have mysql-server on it before:
>>
>>       # grep mysql /etc/shadow
>>       mysql:!!:16079::::::
>
> in the config file where the users shell is defined you may find more :-)
>
> grep mysql /etc/passwd

You've misunderstood the point of that test.  It is proof that John 
Doe's guess is right: the mysql user's account is locked (!!).  This 
means that only way you can "log in as mysql" and thus make use of the 
/bin/bash setting is to first be root, then "su - mysql".  You can't su 
to mysql from a non-root account since that would require a password.

That's why I guess this is a symptom of a wooly-headed change to the 
spec file, rather than some nefarious security breach.

By the way, vault.centos.org is back.  Here's what we find in the spec file:

/usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /bin/bash \
     -c "MySQL Server" -u 27 mysql >/dev/null 2>&1 || :