When we create an SSH tunnel to your server, there's no need for Stitch to have access to anything but the database. If you don't want us to have full access to the server that houses your database, you can restrict access by forcing the Stitch Linux user into a restricted bash shell.
You may have guessed from the name, but a restricted bash shell is used to set up an environment more controlled than the standard shell. The important thing about this type of shell is that restricted shell users can't access system functions or make any kind of modifications.
The Stitch Public Key can be found on the credentials page for the database you're using. This is accessed by:
Keep this page open, as you'll need it in the next step.
To restrict the Stitch Linux user, you'll need to do two things:
PATHenvironment variable to be the empty string. This means the user won't be able to access system executables.
Both of these can be done inside the
authorized_keys file in the user's home
dir/.ssh directory as part of the command that is executed when the user logs in. It will look something like this:
... other keys ... command="env PATH="" /bin/bash -r" < [stitch public key goes here] > ... other keys ...
Once this is complete, the user you created for Stitch won't have the ability to make any changes to your system.