2

I need to let a user create mysql dumps, but I want to restrict anything else. I have to do this via ssh into the server, since the mysql server is only listening on internal ip addresses, preventing me from accessing the mysql server directly.

I've tried to jail the ssh user, but that didn't quite work since it couldn't connect to the database over the mysql socket, even if I copied the socket directory into the jail.

Then I read something about /sbin/nologin allowing the user to authenticate without starting a shell. I though maybe I somehow could pass the command to create the dump / tunnel something straight to the mysql.

Does anyone have any experience allowing a user to create database dumps via ssh, but restricting anything else?

The user could also use a tool like Sequel Pro / MySQL Workbench to connect, but they'd still need to go via ssh, because the database server is otherwise inaccesible.

And they would need to download the dump, but I can make the dump accessible over SFTP.

ptf
  • 333

2 Answers2

1

add the code you need to execute the dump to your .bashrc/.zshrc followed by an exit. 

# .bashrc
echo "Creating DB Dump..."
dumpdumpdump
echo "Done"
exit

This is however pretty insecure. Any ctrl-c before the exit will end up giving the user a shell. You could add a trap to also exit on INT and TERM to avoid this

trap exit INT TERM;
echo "Creating DB Dump..."
dumpdumpdump
echo "Done"
exit
Nodebody
  • 551
1

Two possible solutions.

SSH Jail, http://allanfeid.com/content/creating-chroot-jail-ssh-access

Alternative, Jailkit, Simple & easy way to jail users

 

Or limit the users by authorized commands if they use ssh keys,

Community
  • 1
rovr138
  • 267