Can MySQL log on via SSH/bash? mysql:x:27:101:MySQL Server:/var/lib/mysql:/bin/bash

Ujjain · 04-24-2009, 02:10 PM

/etc/passwd:

Code:

mysql:x:27:101:MySQL Server:/var/lib/mysql:/bin/bash

What does this mean?
Why do people often advise to set to /bin/false, but did that crash my Nagios until I gave it /bin/bash again?
Mysql user has no password set. Only users with /bin/bash (or /bin/sh etc) and a password set can log in via SSH, can they?

Just looking to understand Linux Security.

kentyler · 04-24-2009, 02:16 PM

It's safe like that.

At times you may need to su to that user to debug also. Just leave no password and it will be fine.

MensaWater · 04-24-2009, 02:21 PM

What you're showing is a simply "user" entry in /etc/passwd. The user name is mysql. The comment has mysql as well. It might as easily have been named ralph or wilhelmina.

Typically if it is not a real person it is an "administrative account". That is to say an account that was created simply to be the "owner" of files for a specific application. In this case it is most likely mysql based on the name and comment.

The reason people recommend setting the shell to /bin/false is that for administrative accounts you often don't want a real user to login to that account. Setting it to /bin/false makes any login attempt faile and exit immediately.

Sometimes you DO want another user (nagios for example) to be able to switch user (with the su command) to this user. If it is set to /bin/false then that su will fail because it tries to invoke the shell.

Setting a password on the account that no one knows helps to insure no real user will login to the account. You can then use something like ssh trust to allow the nagios user permission to run commands as mysql. Also you can setup sudoers to allow real users to "sudo su" to the admin user. We do quite a bit of the latter as there are many administrative accounts our DBAs need access to but we won't to log access which sudo does by default.