Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
3.1.3
-
None
-
None
Description
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
From the MySQL documentation:
On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only.
https://dev.mysql.com/doc/refman/5.7/en/user-names.html
And from the MariaDB documentation:
-u, --user=name User for login, if not current user.
https://mariadb.com/kb/en/library/mysql-command-line-client/
However, at the moment, the wrong user name is used by default if the login user is different from the effective user.
How the Default User Name is Determined
MariaDB Connector/C determines the default user name by calling read_user_name() to get the current user:
https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498
It is called in send_client_reply_packet():
https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311
The read_user_name() function gets the user name by checking the following items in the following order:
- If geteuid() returns 0, then root is used.
- If getlogin() is not NULL, then its return value is used.
- If getpwuid(geteuid()) is not NULL, then its return value is used.
- If the USER environment variable is set, then its assigned value is used.
- If the LOGNAME environment variable is set, then its assigned value is used.
- If the LOGIN environment variable is set, then its assigned value is used.
This order can cause unexpected results in some cases.
How to Reproduce
For example, let's say that we change users by doing something like this:
$ whoami
|
ec2-user
|
$ sudo -u mysql bash
|
$ whoami
|
mysql
|
$ printenv USER
|
mysql
|
$ printenv LOGNAME
|
mysql
|
$ printenv LOGIN
|
$ id
|
uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow)
|
$ cat /proc/self/loginuid
|
1000
|
$ id 1000
|
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal)
|
In this case, our effective user is mysql, but the login user is still ec2-user.
Let's start tcpdump:
sudo tcpdump -i any -w mariadb_traffic.pcap port 3306
|
And then let's run a client without providing a user name:
$ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1
|
[mariadb] Password:
|
Authentication will fail, because the user name is wrong.
Let's read the tcpdump file:
sudo tcpdump -q -X -r mariadb_traffic.pcap
|
The client handshake response looks like this for me:
00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0
|
0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@.......
|
0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e..
|
0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v
|
0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............
|
0x0040: 0000 0000 ....
|
00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194
|
0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@.......
|
0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e..
|
0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v
|
0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............
|
0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !...............
|
0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user
|
0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p
|
0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li
|
0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name
|
0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid
|
0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve
|
0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla
|
0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro
|
0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql.
|
0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127
|
0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1..........
|
0x0100: 0000 0000 0000
|
We can see from the packet content that C/C thinks the user name is ec2-user instead of mysql.
The error message sent by the server also references this incorrect ec2-user user name:
$ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1
|
[mariadb] Password:
|
ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO)
|
Suggested Fix
MariaDB Connector/C's version of the read_user_name() function should be fixed to use the effective user as the default user.
Attachments
Issue Links
- causes
-
MDEV-21396 Cannot specify multiple authentication plugins (mysql_native_password and unix_socket)
-
- Closed
-
- relates to
-
-
- Open
-
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Link | This issue relates to MDEV-20756 [ MDEV-20756 ] |
| Description |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
However, at the moment, the wrong user name is used by default in some cases. From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ MariaDB Connector/C even has a useful function called {{read_user_name()}} that is intended to handle this exact case: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 However, it appears that this function may be returning the wrong value. We can reproduce this by executing a client and not providing a user name. First, let's check which user account we are: {noformat} $ whoami mysql $ printenv USER mysql 2$ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) {noformat} And then let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message received by the server also references this incorrect user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
However, at the moment, the wrong user name is used by default in some cases. From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ MariaDB Connector/C even has a useful function called {{read_user_name()}} that is intended to handle this exact case: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 However, it appears that this function may be returning the wrong value. We can reproduce this by executing a client and not providing a user name. First, let's check which user account we are: {noformat} $ whoami mysql $ printenv USER mysql 2$ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) {noformat} And then let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
| Description |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
However, at the moment, the wrong user name is used by default in some cases. From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ MariaDB Connector/C even has a useful function called {{read_user_name()}} that is intended to handle this exact case: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 However, it appears that this function may be returning the wrong value. We can reproduce this by executing a client and not providing a user name. First, let's check which user account we are: {noformat} $ whoami mysql $ printenv USER mysql 2$ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) {noformat} And then let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
However, at the moment, the wrong user name is used by default in some cases. From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ MariaDB Connector/C even has a useful function called {{read_user_name()}} that is intended to handle this exact case: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 However, it appears that this function may be returning the wrong value. We can reproduce this by executing a client and not providing a user name. First, let's check which user account we are: {noformat} $ whoami mysql $ printenv USER mysql $ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) {noformat} And then let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
| Summary | Default user name for C/C is wrong | Default user name for C/C is wrong if login user is different from effective user |
| Description |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
However, at the moment, the wrong user name is used by default in some cases. From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ MariaDB Connector/C even has a useful function called {{read_user_name()}} that is intended to handle this exact case: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 However, it appears that this function may be returning the wrong value. We can reproduce this by executing a client and not providing a user name. First, let's check which user account we are: {noformat} $ whoami mysql $ printenv USER mysql $ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) {noformat} And then let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ However, at the moment, the wrong user name is used by default if the login user is different from the effective user. MariaDB Connector/C calls {{read_user_name()}} to get the current user: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 However, it appears that this function may be returning the wrong value. We can reproduce this by executing a client and not providing a user name. First, let's check which user account we are: {noformat} $ whoami mysql $ printenv USER mysql $ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) {noformat} And then let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
| Description |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ However, at the moment, the wrong user name is used by default if the login user is different from the effective user. MariaDB Connector/C calls {{read_user_name()}} to get the current user: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 However, it appears that this function may be returning the wrong value. We can reproduce this by executing a client and not providing a user name. First, let's check which user account we are: {noformat} $ whoami mysql $ printenv USER mysql $ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) {noformat} And then let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ However, at the moment, the wrong user name is used by default if the login user is different from the effective user. MariaDB Connector/C calls {{read_user_name()}} to get the current user: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 The {{read_user_name()}} function gets the user name by checking the following items in the following order: * If {{geteuid()}} returns {{0}}, then {{root}} is used. * If {{getlogin()}} is not {{NULL}}, then its return value is used. * If {{getpwuid(geteuid())}} is not {{NULL}}, then its return value is used. * If the {{USER}} environment variable is set, then its assigned value is used. * If the {{LOGNAME}} environment variable is set, then its assigned value is used. * If the {{LOGIN}} environment variable is set, then its assigned value is used. This order can cause unexpected results in some cases. For example, let's say that we change users by doing something like this: {noformat} $ whoami ec2-user $ sudo -u mysql bash $ whoami mysql $ printenv USER mysql $ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) $ cat /proc/self/loginuid 1000 $ id 1000 uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal) {noformat} In this case, our effective user is {{mysql}}, but the login user is still {{ec2-user}}. Let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
| Description |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ However, at the moment, the wrong user name is used by default if the login user is different from the effective user. MariaDB Connector/C calls {{read_user_name()}} to get the current user: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 The {{read_user_name()}} function gets the user name by checking the following items in the following order: * If {{geteuid()}} returns {{0}}, then {{root}} is used. * If {{getlogin()}} is not {{NULL}}, then its return value is used. * If {{getpwuid(geteuid())}} is not {{NULL}}, then its return value is used. * If the {{USER}} environment variable is set, then its assigned value is used. * If the {{LOGNAME}} environment variable is set, then its assigned value is used. * If the {{LOGIN}} environment variable is set, then its assigned value is used. This order can cause unexpected results in some cases. For example, let's say that we change users by doing something like this: {noformat} $ whoami ec2-user $ sudo -u mysql bash $ whoami mysql $ printenv USER mysql $ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) $ cat /proc/self/loginuid 1000 $ id 1000 uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal) {noformat} In this case, our effective user is {{mysql}}, but the login user is still {{ec2-user}}. Let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ However, at the moment, the wrong user name is used by default if the login user is different from the effective user. h2. How the Default User Name is Determined MariaDB Connector/C determines the default user name by calling {{read_user_name()}} to get the current user: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 The {{read_user_name()}} function gets the user name by checking the following items in the following order: * If {{geteuid()}} returns {{0}}, then {{root}} is used. * If {{getlogin()}} is not {{NULL}}, then its return value is used. * If {{getpwuid(geteuid())}} is not {{NULL}}, then its return value is used. * If the {{USER}} environment variable is set, then its assigned value is used. * If the {{LOGNAME}} environment variable is set, then its assigned value is used. * If the {{LOGIN}} environment variable is set, then its assigned value is used. This order can cause unexpected results in some cases. h2. How to Reproduce For example, let's say that we change users by doing something like this: {noformat} $ whoami ec2-user $ sudo -u mysql bash $ whoami mysql $ printenv USER mysql $ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) $ cat /proc/self/loginuid 1000 $ id 1000 uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal) {noformat} In this case, our effective user is {{mysql}}, but the login user is still {{ec2-user}}. Let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
| Description |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ However, at the moment, the wrong user name is used by default if the login user is different from the effective user. h2. How the Default User Name is Determined MariaDB Connector/C determines the default user name by calling {{read_user_name()}} to get the current user: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 The {{read_user_name()}} function gets the user name by checking the following items in the following order: * If {{geteuid()}} returns {{0}}, then {{root}} is used. * If {{getlogin()}} is not {{NULL}}, then its return value is used. * If {{getpwuid(geteuid())}} is not {{NULL}}, then its return value is used. * If the {{USER}} environment variable is set, then its assigned value is used. * If the {{LOGNAME}} environment variable is set, then its assigned value is used. * If the {{LOGIN}} environment variable is set, then its assigned value is used. This order can cause unexpected results in some cases. h2. How to Reproduce For example, let's say that we change users by doing something like this: {noformat} $ whoami ec2-user $ sudo -u mysql bash $ whoami mysql $ printenv USER mysql $ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) $ cat /proc/self/loginuid 1000 $ id 1000 uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal) {noformat} In this case, our effective user is {{mysql}}, but the login user is still {{ec2-user}}. Let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} |
For command-line tools, if no user name is provided, then the default behavior is supposed to be that the client will use the name of the current Unix user.
From the MySQL documentation: {quote} On Unix, most MySQL clients by default try to log in using the current Unix user name as the MySQL user name, but that is for convenience only. {quote} https://dev.mysql.com/doc/refman/5.7/en/user-names.html And from the MariaDB documentation: {quote} -u, --user=name User for login, if not current user. {quote} https://mariadb.com/kb/en/library/mysql-command-line-client/ However, at the moment, the wrong user name is used by default if the login user is different from the effective user. h2. How the Default User Name is Determined MariaDB Connector/C determines the default user name by calling {{read_user_name()}} to get the current user: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/libmariadb/mariadb_lib.c#L498 It is called in {{send_client_reply_packet()}}: https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.3/plugins/auth/my_auth.c#L311 The {{read_user_name()}} function gets the user name by checking the following items in the following order: * If {{geteuid()}} returns {{0}}, then {{root}} is used. * If {{getlogin()}} is not {{NULL}}, then its return value is used. * If {{getpwuid(geteuid())}} is not {{NULL}}, then its return value is used. * If the {{USER}} environment variable is set, then its assigned value is used. * If the {{LOGNAME}} environment variable is set, then its assigned value is used. * If the {{LOGIN}} environment variable is set, then its assigned value is used. This order can cause unexpected results in some cases. h2. How to Reproduce For example, let's say that we change users by doing something like this: {noformat} $ whoami ec2-user $ sudo -u mysql bash $ whoami mysql $ printenv USER mysql $ printenv LOGNAME mysql $ printenv LOGIN $ id uid=997(mysql) gid=994(mysql) groups=994(mysql),1005(shadow) $ cat /proc/self/loginuid 1000 $ id 1000 uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal) {noformat} In this case, our effective user is {{mysql}}, but the login user is still {{ec2-user}}. Let's start {{tcpdump}}: {noformat} sudo tcpdump -i any -w mariadb_traffic.pcap port 3306 {noformat} And then let's run a client without providing a user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: {noformat} Authentication will fail, because the user name is wrong. Let's read the {{tcpdump}} file: {noformat} sudo tcpdump -q -X -r mariadb_traffic.pcap {noformat} The client handshake response looks like this for me: {noformat} 00:28:51.270909 IP localhost.38338 > localhost.mysql: tcp 0 0x0000: 4508 0034 54e6 4000 4006 e7d3 7f00 0001 E..4T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8010 0156 fe28 0000 0101 080a 0057 ed76 ...V.(.......W.v 0x0030: 0057 ed76 0000 0000 0000 0000 0000 0000 .W.v............ 0x0040: 0000 0000 .... 00:28:51.271046 IP localhost.38338 > localhost.mysql: tcp 194 0x0000: 4508 00f6 54e7 4000 4006 e710 7f00 0001 E...T.@.@....... 0x0010: 7f00 0001 95c2 0cea 5d84 b993 2a65 a5ae ........]...*e.. 0x0020: 8018 0156 feea 0000 0101 080a 0057 ed76 ...V.........W.v 0x0030: 0057 ed76 be00 0001 84a6 9f20 0000 0001 .W.v............ 0x0040: 2100 0000 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 0000 0700 0000 6563 322d 7573 6572 ........ec2-user 0x0060: 0000 6d79 7371 6c5f 6e61 7469 7665 5f70 ..mysql_native_p 0x0070: 6173 7377 6f72 6400 7d03 5f6f 7305 4c69 assword.}._os.Li 0x0080: 6e75 780c 5f63 6c69 656e 745f 6e61 6d65 nux._client_name 0x0090: 0a6c 6962 6d61 7269 6164 6204 5f70 6964 .libmariadb._pid 0x00a0: 0435 3937 330f 5f63 6c69 656e 745f 7665 .5973._client_ve 0x00b0: 7273 696f 6e05 332e 312e 3409 5f70 6c61 rsion.3.1.4._pla 0x00c0: 7466 6f72 6d06 7838 365f 3634 0c70 726f tform.x86_64.pro 0x00d0: 6772 616d 5f6e 616d 6505 6d79 7371 6c0c gram_name.mysql. 0x00e0: 5f73 6572 7665 725f 686f 7374 0931 3237 _server_host.127 0x00f0: 2e30 2e30 2e31 0000 0000 0000 0000 0000 .0.0.1.......... 0x0100: 0000 0000 0000 {noformat} We can see from the packet content that C/C thinks the user name is {{ec2-user}} instead of {{mysql}}. The error message sent by the server also references this incorrect {{ec2-user}} user name: {noformat} $ mysql --plugin-dir=/usr/lib64/mysql/plugin/ -h 127.0.0.1 [mariadb] Password: ERROR 1045 (28000): Access denied for user 'ec2-user'@'localhost' (using password: NO) {noformat} h2. Suggested Fix MariaDB Connector/C's version of the {{read_user_name()}} function should be fixed to use the effective user as the default user. |
| Fix Version/s | 3.1.5 [ 24016 ] | |
| Fix Version/s | 3.1 [ 23223 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Open [ 1 ] | Closed [ 6 ] |
| Resolution | Fixed [ 1 ] | |
| Status | Closed [ 6 ] | Stalled [ 10000 ] |
| Fix Version/s | 3.1 [ 23223 ] | |
| Fix Version/s | 3.1.5 [ 24016 ] |
| Fix Version/s | 3.1.8 [ 24230 ] | |
| Fix Version/s | 3.1 [ 23223 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Link |
This issue causes |
| Link |
This issue relates to |
| Workflow | MariaDB connectors [ 100194 ] | MariaDB v4 [ 161187 ] |