Does XtraBackup need to spawn a shell?

Over the last number of years, there has been an intermittent debate ([url]Invalid Bug ID) about the configuration of the mysql user created by installations of MySQL (which, of course, would also apply to forks like XtraDBCluster). The issue stems from the mysql ID in /etc/passwd having a /bin/bash shell, but some claim having a !! in the related shadow record making the account inaccessible via a standard login makes this not an issue.

However, one person raised a concern that if a compromised mysql instance could write a .ssh/authorized_keys entry in /var/lib/mysql this could allow an interactive login. The person who I believe was a package maintainer for RH indicated that some admins preferred the ability to log in as the mysql user for various reasons, and certain backup tools required the ability to log in as the mysql user (and, presumably, spawn a shell) so he came down on the side of leaving the user with a shell in /etc/passwd for anyone / anything that needed it as long as standard interactive login required that root intervene and give the account a password.

His final defense on this was that the MySQL devs created that account in that way, too, so he wasn’t going to break the distro package’s functionality to address a setting that was sub-optimal from a security standpoint when there was a compensating control in place. Whether I agree with the stand he took or not, Oracle’s community server 5.7 package now creates the mysql ID with a shell parameter of /bin/false so I guess they ended up capitulating on this point.

The most recent XtraDBCluster 5.7 installer creates mysql with a /bin/bash shell (but locked in shadow) and I’m not here to inquire if it can / should be changed in the installer, but I was curious if XtraBackup needs a shell like mysqlhotcopy did once upon a time or if I can change that shell parameter in /etc/passwd on my production systems and still run useful backups. I can (and probably will) just test it myself at some point, but I thought I’d ask the community if anyone had tried making this change at the behest of security staff / guidance and if it caused any difficulties with XtraBackup.

Thanks,

Scott

In case anyone ever has the same question and comes across this post, I switched mysql’s shell to /sbin/nologin right after install and then proceeded with a variety of DML and DDL commands and several xtrabackups, all of which behaved just as expected so I believe the answer to the question “Does XtraBackup need to spawn a shell?” is no.