Package: prometheus-mysqld-exporter Version: 0.11.0+ds-1+b20 Severity: serious Justification: Policy 10.9
Dear Maintainer, After upgrading my MariaDB server boxes to buster, the version of prometheus mysqld exporter monitoring package stopped working. When I checked the cause of it, the package logged very usefuly the cause: no user or password specified under [client] in /var/lib/prometheus/.my.s5.cnf I checked an my [client] section had a user config, plust a password one, except it was configured on purpose like this: password = '' I confirmed that by adding a fully random password, different from the empty string, the exporter started working again. This is because I use socket-based authentication for the prometheus mysqld exporter user (https://mariadb.com/kb/en/authentication-plugin-unix-socket/), something that is a best practice in a secure production environement. In fact, Debian uses socket_auth for the default-created root user, which makes Debian mariadb installation much more secure. This issue not only forces users to maintain a password on the filesystem in clear text (that can be easily stolen or leaked by accident, and reused for other similarly-configured systems), it overpases the additional checks of socket-auth, that requires a matching unix acccount with the same name as that of the mysql account. This is a regression because auth_socket was working properly on previous versions of prometheus available on stretch and other OSs. Not only this breaks existing installations, it also discourages the usage of the avobe mentioned, more secure authentication mechanism. If UI-friendly errors are prefered (because people forgets to create or protect mysql accounts, please allow me to specifically mark "this account doesn't have a password, and I know what I am doing". I have not reported this upstream. -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages prometheus-mysqld-exporter depends on: ii daemon 0.6.4-1+b2 ii libc6 2.28-10 prometheus-mysqld-exporter recommends no packages. Versions of packages prometheus-mysqld-exporter suggests: pn default-mysql-server | virtual-mysql-server <none> -- no debconf information