Sometimes corporate firewalls can be a real headache for developers. We had a situation today in which we needed to provide read-only access to a MySQL database, but had only ssh to the machine. We have a very strict user policy, so weren't prepared to provide a shell account.
One quick and cunning way to provide MySQL monitor access without
opening up the firewall, or creating shell accounts is to create a user
/usr/bin/mysql as their shell.
- Create a user with
/usr/bin/mysqlas the shell:
# useradd -m -s /usr/bin/mysql dev # grep dev /etc/passwd dev:x:500:500::/home/dev:/usr/bin/mysql
- Drop a .my.cnf into the new user's home directory
[client] user=dev password=m3g4s3cr3t
- Create a user and grants in the mysql database
mysql> CREATE USER 'dev'@'localhost' IDENTIFIED BY 'm3g4s3cr3t'; mysql> GRANT SELECT ON \*.\* TO 'dev'@'localhost';
Now when a user connects to the machine as the dev user, over ssh, they drop straight into a mysql monitor, with restricted privileges.
Many thanks to James Sheridan for this tip.