Bug 176389 - default mysql user in /etc/passwd has bash shell
default mysql user in /etc/passwd has bash shell
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: mysql (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tom Lane
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-21 20:15 EST by Mike Rubel
Modified: 2015-07-11 11:19 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 984762 (view as bug list)
Environment:
Last Closed: 2006-01-04 22:14:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike Rubel 2005-12-21 20:15:57 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
Mysql installs its user with a bash shell by default, instead of /sbin/nologin.  The relevant preinstall scriptlet is (from rpm -q --scripts mysql-server):

preinstall scriptlet (using /bin/sh):
/usr/sbin/useradd -M -o -r -d /var/lib/mysql -s /bin/bash \
        -c "MySQL Server" -u 27 mysql > /dev/null 2>&1 || :

For security reasons, I would think that should be -s /sbin/nologin by default.

Version-Release number of selected component (if applicable):
mysql-server-4.1.16-1.FC4.1

How reproducible:
Always

Steps to Reproduce:
1. yum install mysql-server
2. grep mysql /etc/passwd
  

Actual Results:  mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash

Expected Results:  mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin

Additional info:

I'm no mysql expert.  Perhaps there's a good reason for this behavior, but basic googling did not turn up anything.
Comment 1 Tom Lane 2005-12-21 23:03:32 EST
I see no particularly good reason to worry about this.  The mysql account is created with no password, so 
you can't log into it anyway unless root changes that.  It's not unreasonable to want to log into it, so I 
don't quite see the point of putting two roadblocks in the way instead of only one.
Comment 2 Mike Rubel 2005-12-21 23:48:01 EST
I know that password is already locked in shadow, but the behavior is still unusual.

Almost all "default" users in /etc/passwd have both password locked in shadow
and their shells set to /sbin/nologin.  Specifically, bin, daemon, adm, lp,
mail, uucp, operator, games, gopher, ftp, nobody, dbus, vcsa, rpm, haldaemon,
pcap, nscd, named, sshd, rpc, mailnull, smmsp, rpcuser, nfsnobody, and ntp all
have this property.  Is logging in as mysql a common or necessary thing to do? 
Wouldn't more-secure-by-default be a better alternative, seeing as this is just
a one-line configuration change?

This is admittedly a long shot, but if a flaw in mysqld allowed an attacker to
write a suitably-permissioned ssh key into /var/lib/mysql/.ssh/authorized_keys
(which mysqld does have access to), then the current configuration allows him to
automatically gain remote shell access, circumventing the locked password.  I've
just verified this by creating the file as mysql on a vanilla FC4 installation.
Comment 3 Tom Lane 2006-01-04 22:14:47 EST
Yes, there are good reasons to run shell commands as the mysql user --- to take a common example, 
mysqlhotcopy has to be run as that user (or else as root, which hardly seems better).  I don't find this 
issue serious enough to force people to change their database backup procedures.

The .ssh point might best be addressed by configuring SELinux to disallow the daemon from touching the 
.ssh files.  Offhand I can't think of a case where it would legitimately need to do that (though I might be 
missing something).
Comment 4 Robert Scheck 2007-02-14 10:20:30 EST
Tom, you're missing something really important - cases like at CVE-2007-0003 
some weeks ago. There it was possible to login as mysql user and to keep the 
access easily - and the mysql user was the only user where this abuse really 
worked perfect, because of /bin/bash as login shell.

Please re-open!
Comment 5 Tom Lane 2007-02-14 11:18:42 EST
The fact remains that a database administrator needs shell access as mysql to do
backups.  I'm not interested in changing this, especially since I see that MySQL
AB's RPMs create the userid with a normal shell too.  If you can convince them
to redesign their database maintenance procedures so that a shell is
unnecessary, then I'll follow suit, but I'm not going to break things on my own
authority just to add one more level of security.
Comment 6 Justin Buser 2013-07-15 17:19:52 EDT
(In reply to Tom Lane from comment #1)
> I see no particularly good reason to worry about this.  The mysql account is
> created with no password, so 
> you can't log into it anyway unless root changes that.  It's not
> unreasonable to want to log into it, so I 
> don't quite see the point of putting two roadblocks in the way instead of
> only one.

I know this is closed but I just had to comment on this, all I have to say is WOW, glad this guy isn't responsible for security in any of MY servers :)
Comment 7 Art O Cathain 2014-10-01 10:03:02 EDT
Given the recent shellshock debacle, IMHO this should at least be changed to /bin/dash (or /bin/sh - are RedHat ever going to follow Debian's lead and change /bin/sh to be dash?)
Comment 8 Honza Horak 2014-10-02 08:23:20 EDT
(In reply to Art O Cathain from comment #7)
> Given the recent shellshock debacle, IMHO this should at least be changed to
> /bin/dash (or /bin/sh - are RedHat ever going to follow Debian's lead and
> change /bin/sh to be dash?)

Feel free to join the discussion:
https://lists.fedoraproject.org/pipermail/devel/2014-October/202876.html

Anyway, since RHEL-7 mysql user has had /bin/nologin as default shell.

Note You need to log in before you can comment on or make changes to this bug.