Package: mysql-server Version: 5.5.35+dfsg-2 Severity: normal Dear Maintainer,
When installing a MySQL server in a non-interactive environment (for instance using a configuration manager): DEBIAN_FRONTEND=noninteractive apt-get install mysql-server The post-install hook currently creates a root user without a password, making any local user able to connect as root: guilhem@fresti: ~$ mysql -u root mysql […] mysql> SELECT user,host,password,plugin FROM user; +------------------+-----------+-------------------------------------------+--------+ | user | host | password | plugin | +------------------+-----------+-------------------------------------------+--------+ | root | localhost | | | | root | fresti | | | | root | 127.0.0.1 | | | | root | ::1 | | | | debian-sys-maint | localhost | *0B79A0000E943CB9D2719FACD42B17D2550398AB | | +------------------+-----------+-------------------------------------------+--------+ Since as far as I'm concerned I don't have a use-case where a user should connect to MySQL as root unless she already has UNIX root privileges, I would like to use the Socket Peer-Credential Authentication Plugin [1]. Of course I could manually remove all hosts that are not ‘localhost’ and force authentication using said plugin: mysql> DROP USER 'root'@'fresti'; mysql> DROP USER 'root'@'127.0.0.1'; mysql> DROP USER 'root'@'::1'; mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so'; mysql> UPDATE user SET plugin = 'auth_socket', password = '' WHERE user = 'root' AND host = 'localhost'; mysql> FLUSH PRIVILEGES; mysql> SELECT user,host,password,plugin FROM user; +------------------+-----------+-------------------------------------------+-------------+ | user | host | password | plugin | +------------------+-----------+-------------------------------------------+-------------+ | root | localhost | | auth_socket | | debian-sys-maint | localhost | *0B79A0000E943CB9D2719FACD42B17D2550398AB | | +------------------+-----------+-------------------------------------------+-------------+ mysql> QUIT; guilhem@fresti: ~$ mysql -u root mysql ERROR 1698 (28000): Access denied for user 'root'@'localhost' However the race condition opens an obvious insecure windows, during which any user can connect as root and (for instance) add another MySQL user and GRANT it ALL PRIVILEGES. IMHO the best way to overcome the issue would be to add a debconf variable to force Socket Peer-Credential Authentication for the root user. (Or perhaps that should be the default when the password is left blank? Or perhaps even the password should be disabled by default, and only activated if explicitly asked at the installation?) Thanks! Cheers, -- Guilhem. [1] https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable'), (800, 'testing'), (700, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.13-1-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mysql-server depends on: ii mysql-server-5.5 5.5.35+dfsg-2 mysql-server recommends no packages. mysql-server suggests no packages. -- no debconf information
signature.asc
Description: Digital signature