Re: [CentOS] Why does 'mysql' user has /bin/bash shell?
On 1/9/2014 03:50, John Doe wrote: Default MySQL installation on CentOS sets /bin/bash as shell. I'm on a user cleanup task where I want reduce unneeded privileges to users. Its password should be locked. I just tested here on an EL6 VM that didn't have mysql-server on it before: # grep mysql /etc/shadow mysql:!!:16079:: I tried to investigate further by taking a look at the mysql-server spec file, but apparently CentOS doesn't ship with a source repo configured: $ yumdownloader --source mysql-server noise noise noise No source RPM found for mysql-server-5.1.71-1.el6.i686 I looked in CentOS-Base.repo, and don't see one I can enable. Also, connections to vault.centos.org are timing out right now, so I can't build a .repo file entry by hand. So, lacking real information, I will make a wild guess as to why this happened: someone got lazy modifying an adduser/useradd command in the mysql.spec file. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Why does 'mysql' user has /bin/bash shell?
On 1/10/2014 12:14, Reindl Harald wrote: Am 10.01.2014 20:11, schrieb Warren Young: I just tested here on an EL6 VM that didn't have mysql-server on it before: # grep mysql /etc/shadow mysql:!!:16079:: in the config file where the users shell is defined you may find more :-) grep mysql /etc/passwd You've misunderstood the point of that test. It is proof that John Doe's guess is right: the mysql user's account is locked (!!). This means that only way you can log in as mysql and thus make use of the /bin/bash setting is to first be root, then su - mysql. You can't su to mysql from a non-root account since that would require a password. That's why I guess this is a symptom of a wooly-headed change to the spec file, rather than some nefarious security breach. By the way, vault.centos.org is back. Here's what we find in the spec file: /usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /bin/bash \ -c MySQL Server -u 27 mysql /dev/null 21 || : ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Why does 'mysql' user has /bin/bash shell?
On 1/10/2014 13:09, Reindl Harald wrote: i know that but the question is still WHY I don't think there is a good reason. Someone made a mistake. File a bug report upstream. I've now downloaded and examined the .src.rpm for every 6.x point release plus that for 5.10, and they all do this. On skimming the changelog section of the spec file, I can't see an entry that explains why this was done. However, I might have more success if I knew the first version where this changed -- if indeed it ever did behave differently -- but I haven't found that version yet. I don't think I'm going to spend any more time looking, though, since 6.0 takes me back 3 years. This behavior has been in there for quite a long time. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Why does 'mysql' user has /bin/bash shell?
On 1/10/2014 00:40, Luigi Rosa wrote: I checked in my CentOS 6 installations. Only one (the latest) has this issue, so it could be something added/modified in the lastest months. I don't see how that can be. I've checked the spec file in the mysql.src.rpm for every 6.x point release from 6.0 through 6.5, and they *all* have this command: /usr/sbin/useradd -M -o -r -d /var/lib/mysql -s /bin/bash \ -c MySQL Server -u 27 mysql /dev/null 21 || : Actually, later versions add -N -g mysql to this, which as far as I can tell is basically pointless. It tells useradd to do exactly what it would have done by default anyway. It should have no bearing on this issue. Other installations starting from June 2013 (included) does NOT have this issue and the shell of mysql user is /sbin/nologin I have one from March 2013, and it *does* have /bin/bash as user mysql's shell. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Why does 'mysql' user has /bin/bash shell?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Warren Young said the following on 10/01/2014 21:41: I have one from March 2013, and it *does* have /bin/bash as user mysql's shell. The June 2013 installation with /sbin/nologin COULD have been installed with a old DVD (say CentOS 6.2) and updated via Internet (I really don't remember). It's my home server, I rebuilt it last summer. The latest with /bin/bash is a CentOS VM hostd at www.cloudatcost.com Nearly on the same period I created a VM at Hetzner.de, and it has /sbin/nologin The funy thing is that both cloudatcost.com and hetzner.de are two VMs provided with the Minimal installation and I installed mysql-server package from the repositories. I am not sure if I chsh-ed the mysql account Anyway, why assign an interactive shell to mysql??? Ciao, luigi - -- / +--[Luigi Rosa]-- \ The world is coming to an end... SAVE YOUR BUFFERS!!! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS0GEJAAoJEO5WT/qgw4yK8CEP/RvtyohO/owB2KPI4xQTQkJU r+jllbooHZRFXOBqBFqz12TeFo3nmV9rBao9aJXL84LWoKliJhOENC4Dz8aKYybE MTQDdvEXr2kis3Su5uhPdU6LRS0DlzxuOAOtLz3mQPj1ODdHnmSokGJq/5upq3xZ s+ES0GKxyBPESeEe4oU5qzqngxGKQX9e1nO2w8/Q2GUP1QS/w6TTbkyub6SGAkGQ Gjca6o4Tyhi7Y0OliX8UrRJM8m/WWQtUhIO8Uxpqjl3HkueelnkIcqBiq0D+5cV5 ynKkEusTUlxMWXReZIYu/S//pYR7eo8YFooWttQF9JWvQc5lx3EHo84NWg9LBvA6 a7uHz5y6DznrshpQht6Ut/ctA04PfmdjBG6l6H4EvAipypHK6N0ZBF6ksu6rbtK0 bfmxevXKrBCIRQpO7JrYzpV7N/P54hUMQuec5pnkEqqgKJ9Y1fncPAcZoWeAWDe6 2qy1XlaDh0AL09PEDZR21zdekipkWEWvyqsRduE4OY2OxDyHLC4IUXFaka5XwWA4 Ybjjd/ai6J/vdeM5RM2W6pxadGzha1dPFrV8e8hYJ8AAf3XARvUep0pHvaU32109 BXE3lcXn8qWO5dstwChsNQ3yaOX7lV5k25DYYGPNr+TqIZ+GwvsVVZlb3XV72wxh 46mFqAy79CH1IlULkpUh =IWWy -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Why does 'mysql' user has /bin/bash shell?
From: Mihamina Rakotomandimby miham...@rktmb.org Default MySQL installation on CentOS sets /bin/bash as shell. I'm on a user cleanup task where I want reduce unneeded privileges to users. Its password should be locked. So you cannot login as mysql but you can su - mysql or run scripts as mysql. I do not know if any of the standard tools needs a shell though. JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Why does 'mysql' user has /bin/bash shell?
Can you not set up a test system and try it out? Or, if this is your only system, could you not back it up, and test your suggestions out? The mysql shell is for viewing data in your databases and manipulating the data in required. You can also add tables and things like that. It is a powerful tool if you know what you are doing. Cheers, Cliff On Thu, Jan 9, 2014 at 10:27 PM, Mihamina Rakotomandimby miham...@rktmb.org wrote: Hello, Default MySQL installation on CentOS sets /bin/bash as shell. I'm on a user cleanup task where I want reduce unneeded privileges to users. What is the mysql user shell for? (What will happen if I change it to /bin/false or whatever would disable it's shell?) It's not only a matter of SSH (I'm aware I can AllowUsers in sshd_config for example). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Why does 'mysql' user has /bin/bash shell?
On 01/10/2014 02:25 AM, Cliff Pratt wrote: Can you not set up a test system and try it out? Or, if this is your only system, could you not back it up, and test your suggestions out? I dont have enough unit test in mind to assume it's safe. The mysql shell is for viewing data in your databases and manipulating the data in required. You can also add tables and things like that. It is a powerful tool if you know what you are doing. I might confuse you. I'm not talking about the mysql prompt. I know what it is for. I'm talking about: # grep mysql /etc/passwd mysql:x:498:498:MySQL server:/var/lib/mysql:/bin/bash ^ this -| ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Why does 'mysql' user has /bin/bash shell?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mihamina Rakotomandimby said the following on 09/01/2014 10:27: Default MySQL installation on CentOS sets /bin/bash as shell. I checked in my CentOS 6 installations. Only one (the latest) has this issue, so it could be something added/modified in the lastest months. Other installations starting from June 2013 (included) does NOT have this issue and the shell of mysql user is /sbin/nologin Ciao, luigi - -- / +--[Luigi Rosa]-- \ A committee is a life form with six or more legs and no brain. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSz6PWAAoJEO5WT/qgw4yKF70P/j0xvasmHMcEiV4T9PDEXxSA 5gHR2VGQDCpgSqm2pmPZ1ppRtuNG7eE1J6pQetl9khIBCV79YokQ9o8PyLNkvOKP H4nPuSQMbAbWK5nifaAERzcMkY54hfwKmbFYyli8HusG0Ymq8O0dY1U3W2E1G0ku UnfsJq7tWclNhXfmTlPgh/sYyMgiuxclmomrZQSsVTyAN17WSHN8f+NjOsKkrNUt NUs+PAYaJNcQQWs0Z/oidTvmHF5eZkrlgZYBwOQC2166Rtk7OnX5aWLGClEv9b/d Pf5/0T6U1PvT68XqRaUDcB42SDml6rU3ZbtiZgZ7qpac9CQM0J10BXDsQO/d6jfL fF02cY34IzLdtb2ApU2c/eaGs2/q01WPouRzoOA/CDYyXy75BsdtC/xIMF2K+wuv JnUB/1dAuC16kC1PzEykEg9d4kJC5RePwi5PkNazR8yStfRKdrG//WyoMIYYeqAo ElBO9Nosn2/z+fl3QylAngngTfKD6CeWDOks4MkXFnqgfeoI1RkmfbUFYW9muSMB Z8CrRtStlhHZmzUMHqjHehIKiKpalNHUo5V8AiynRFySZm5sjthVPtOKeCjilQUt 9BCax0IGNbwpIw7tjAOk/3/uKpRadUbCJrEFyAB1mZdFGea8PkyVLPo7yZ4v0TaA rfJv1RsDOU1f4PUkCQgh =YTQY -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos