Otto Kekäläinen <> writes:

> On a quick look the solution suggested by Kristian looks OK. I will
> eventually do something to implement and test it, but if somebody has
> time to do it right now and send me a git merge request (or Github
> pull request) then things would progress much faster.

This adds mysql_install_db --auth-root-socket option that
mariadb-10.1-server.postinst can use instead of patching
mysql_system_tables_data.sql and breaking mysql_install_db for others.

I will try to get Monty to review this today so I can push it upstream.

With this patch, you should be able to remove
debian/patches/mdev-8375-passwordless-root-via-socket-auth.patch and just
use the --auth-root-socket option on mysql_install_db instead.

> The purpose of this change is to get everybody to impove their
> security and move to using new passwordless practices. Are we now sure
> there is no way to change mysql-ruby2 to utilize socket auth, or
> create a test user that has no plugin defined, or something else?

With the above patch, applications can use eg.
mysql_install_db --auth-root-socket=$USER to install a private instance with
socket-based root access by non-privileged user.

However, note that the new socket authentication for the root user is not
necessary to securely setup a private server instance. For example, using
--skip-networking and making the server socket accessible only by the
running user; that should be the same, security wise.

 - Kristian.

Python-modules-team mailing list

Reply via email to