Package: mysql-server
Version: 5.5.42-1
Severity: normal
Dear Maintainer,
When checking for insecure root accounts, ‘debian-start.inc.sh’ merely
lists root accounts with an empty password:
SELECT COUNT(*) FROM mysql.user WHERE user='root' and password='';
However, such an account can be perfectly secure if e.g., it is
associated with the ‘auth_socket’ plugin [1] (the client would have to
connect to Unix socket and use SO_PEERCRED).
The query could be amended as follows:
SELECT COUNT(*) FROM mysql.user WHERE user='root' and password='' and
plugin!='auth_socket';
However some other plugins such as PAM could be considered secure as
well.
Cheers,
--
Guilhem.
[0] https://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html
[1] https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
signature.asc
Description: Digital signature
