2

I need to let a user create mysql dumps, but I want to restrict anything else. I have to do this via ssh into the server, since the mysql server is only listening on internal ip addresses, preventing me from accessing the mysql server directly.

I've tried to jail the ssh user, but that didn't quite work since it couldn't connect to the database over the mysql socket, even if I copied the socket directory into the jail.

Then I read something about /sbin/nologin allowing the user to authenticate without starting a shell. I though maybe I somehow could pass the command to create the dump / tunnel something straight to the mysql.

Does anyone have any experience allowing a user to create database dumps via ssh, but restricting anything else?

The user could also use a tool like Sequel Pro / MySQL Workbench to connect, but they'd still need to go via ssh, because the database server is otherwise inaccesible.

And they would need to download the dump, but I can make the dump accessible over SFTP.

ptf
  • 333
  • By internal ip adresses you mean 127.0.0.1 or rather 192.168.0.0/24? – Nodebody Mar 09 '17 at 12:54
  • More like 192.168.0.0/24, but it starts with 10. – ptf Mar 09 '17 at 12:58
  • You should be able to set a script that creates the dump as the users login shell. That way whenever the user logs on, the script is executed and the session ends as soon as the script finishes, thus not allowing any other action. But you need to consider that no environment is that up in that case, leaving for example PATH unset and requiring you to provide full paths and/or define them in your script. – Nodebody Mar 09 '17 at 13:06
  • @Nodebody How would you set a script as a the shell? In /etc/passwd? I could run something in .profile, then maybe terminate the session afterwards. – ptf Mar 09 '17 at 13:25
  • Yep, that's better. Using it as a shell is more complicated that I though. You could use .bashrc/.zshrc. See the answer below. – Nodebody Mar 09 '17 at 17:13

2 Answers2

1

add the code you need to execute the dump to your .bashrc/.zshrc followed by an exit. 

# .bashrc
echo "Creating DB Dump..."
dumpdumpdump
echo "Done"
exit

This is however pretty insecure. Any ctrl-c before the exit will end up giving the user a shell. You could add a trap to also exit on INT and TERM to avoid this

trap exit INT TERM;
echo "Creating DB Dump..."
dumpdumpdump
echo "Done"
exit
Nodebody
  • 551
  • 1
    One thing to check is if .bashrc or .zshrc are loaded when running ssh user@host 'command' – rovr138 Mar 09 '17 at 18:33
  • Thanks for your help! Ended up doing it kind of like this, but the script is ran with the ForceCommand sshd_config parameter when the correct user logs in. – ptf Mar 10 '17 at 14:21
1

Two possible solutions.

SSH Jail, http://allanfeid.com/content/creating-chroot-jail-ssh-access

Alternative, Jailkit, Simple & easy way to jail users

 

Or limit the users by authorized commands if they use ssh keys,

Community
  • 1
rovr138
  • 267
  • I ended up doing it sort of like in the linux journal link. I used the sshd_config in stead of the authorized_keys file for configuration, and ForceCommand runs a script. – ptf Mar 10 '17 at 14:18
  • I did try to jail the user prior to asking here, and it was complicated, so I didn't try it again. The error I had was that I could not connect to the MySQL database over the mysql socket, probably because of the chroot on the connected user. – ptf Mar 10 '17 at 14:19
  • Regarding the chroot, yes it's a bit of a pain to configure. Would you mind posting the configuration change? I would definitely like to see a different approach and may even have a use case for it. – rovr138 Mar 10 '17 at 15:04