1

I have a problem, I need to give an access to someone, but the only way to connect to the database is via SSH, so if I have understood everything correctly, I need to create him a linux account (on a Debian 10 machine), the user created doesn't have any right to write in folder, so I guess he can't break anything.

But the problem is that he can read any file in the filesystem, I don't really know what is the best practice, I know chmod could fix everything but I don't know if it is a good practice to remove all rights from others and changing the group of every single file to my main linux account.

I guess I should remove all the execution rights of the command under the /bin folder and change the group of the file?

Thanks for reading! I hope I was clear.

Christophe S
  • 25
  • Welcome! Never change permissions/ownership of system's files! – schrodingerscatcuriosity May 01 '20 at 18:59
  • Ok seem logic but what to do to make a user having no read/write permission in the whole system (but does he need to have access to mysql command to connect to the database via SSH?) – Christophe S May 01 '20 at 19:18
  • Is it just one command that the need to run? Or port-forwarding? Or something else? – ctrl-alt-delor May 01 '20 at 21:18
  • If you had to (I don't think you have to, but need clarification of what you are trying to do. See earlier comment), You could protect the /home directory by removing rx for other. And creating a new group, etc. No need to apply recursively. – ctrl-alt-delor May 01 '20 at 21:20

2 Answers2

1

What you asked for...

What you are looking for is chroot. This will set the / root of the filesystem to a location of your choice.

If you chroot to /home/bob for the user bob this location will look like / for bob. He will not see the rest of the filesystem. Because of this you want to place any programs he needs to run below this folder.

As we now know of chroot we can then find plenty of answers and guides:

What you want...

If the database is accessible from the Debian machine and that is all what is needed then you are looking for a SSH tunnel. You still need to have a user account but this can be locked totally down. The important SSH settings are:

  • AllowTcpForwarding yes - we are allowed to have a tunnel
  • ForceCommand /bin/false - if you try to log in via ssh you will not get a shell
  • ChrootDirectory /opt/dummy_location/%u - If you somehow get a shell anyway we have limited view of the filesystem to an empty location

With this knowledge we can again find plenty of prior art:

The above handles the ssh connection. If the user has physical access to the server then remember to set the shell for the user as well:

usermod -s /bin/false userbob

With the above in order then you can search around to see how to connect with any database client. As all the magic with SSH happens on the network layer this can work for all clients! When the tunnel is up it looks like the database is running on the local machine.

Some clients are aware of SSH tunnels and make your life a little easier. A common client would be HeidiSQL - see How to connect to a MySQL database over a SSH tunnel with HeidiSQL.

If you go the tunnel route then please please please test with a regular account first to make sure it works before you start to lock down the tunnel user!

And finally you should be using SSH keys instead of passwords. But this combined with the complexity of chroot is best left as the last thing to implement.

Claus Andersen
  • 3,384
0

If the user can work from its /home directory and there is no need to change dirs this might be a helpful post(not only the answer): How to limit user
You can also do it with editing /etc/sudoers but in your case I think it is not appropriate.

ctrl-alt-delor
  • 27,993
Angel
  • 330
  • The user can't work in it's /home directory, he doesn't have any write permission but he can read any file from the file system which is the problem – Christophe S May 01 '20 at 20:14