Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-12484

Enable unix socket authentication by default

Details

    Description

      We have had in Debian/Ubuntu since late 2015 unix socket authentication by default on new MariaDB installations (see MDEV-8375).

      Now in 10.3 it is time to start do this in upstream MariaDB globally.

      Via Debian we have already experience that this works well in many environments and use cases. There is a Windows equivalent for unix socket auth is called auth_namepipe and has been tested to work already in 2015.

      The remaining question is whether to have this as-is in upstream now or should we wait until we have automatic fallback to password if the unix_socket did not match (support for multiple authentication plugins).

      The Debian sources can be found here: https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.1.git/tree/debian

      Note the recent rewrite by Kristian, which has been upstreamed so the capability is already in upstream: https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.1.git/commit/debian/patches?id=87c1d427f66c0f351019b3a23c3b1de1089b4170

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21928 ALTER USER doesn't remove excess authentication plugins from mysql.global_priv

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          is blocked by

          Task - A task that needs to be done. MDEV-11340 Allow multiple alternative authentication methods for the same user

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Task - A task that needs to be done. MDEV-12834 mysql_secure_installation should ask about unix_socket authentication

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-18736 Document --disable-unix-socket option in man page and binary

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-18768 Automate upgrades from MySQL 5.7 with auth_socket to MariaDB with our unix_socket

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Task - A task that needs to be done. MDEV-12834 mysql_secure_installation should ask about unix_socket authentication

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16621 Fix logrotate script

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            View 9 older comments
            danblack Daniel Black added a comment -

            I agree someone may have done it, and packaging scripts will need to account for this, however I've never seen or found a stack overflow, dba.stackexchange.com, blog or any other reference to it. I tried searching Google for CREATE USER mysql and haven't found an exact match . All examples I've seen focus on a personal name (dan), a role (admin), root. or and application name.

            danblack Daniel Black added a comment - I agree someone may have done it, and packaging scripts will need to account for this, however I've never seen or found a stack overflow, dba.stackexchange.com, blog or any other reference to it. I tried searching Google for CREATE USER mysql and haven't found an exact match . All examples I've seen focus on a personal name ( dan ), a role ( admin ), root . or and application name.
            serg Sergei Golubchik added a comment -

            Okay. I'll try this — two all-privilege accounts, authenticated with unix_socket. One is root. The other is:

              # Use $auth_root_socket_user if explicitly specified.
            		 
              # Otherwise use the owner of datadir - ${user:-$USER}
            		 
              # Use 'root' as a fallback
            		 
              auth_root_socket_user=${auth_root_socket_user:-${user:-${USER:-root}}}

            The logic here is — both root user and the owner of the datadir do not need to know the password, they have the full access to the data anyway. So we don't ask them to provide the password.

            This covers both your mysql@localhost suggestion and debian bug#848616 (installed locally under a normal user) use cases.

            serg Sergei Golubchik added a comment - Okay. I'll try this — two all-privilege accounts, authenticated with unix_socket. One is root. The other is: # Use $auth_root_socket_user if explicitly specified. # Otherwise use the owner of datadir - ${user:-$USER} # Use 'root' as a fallback auth_root_socket_user=${auth_root_socket_user:-${user:-${USER:-root}}} The logic here is — both root user and the owner of the datadir do not need to know the password, they have the full access to the data anyway. So we don't ask them to provide the password. This covers both your mysql@localhost suggestion and debian bug#848616 (installed locally under a normal user) use cases.
            danblack Daniel Black added a comment -

            Nice work serg. Always great to see large chunks of packaging script disappear (https://github.com/mariadb/server/commit/25c6d626570e048fc8ddf1ef500a0c601d8b8a60). Trivial, minor, and not without RPM implications, does `./support-files/mysql-log-rotate.sh` need a `su mysql mysql`?

            danblack Daniel Black added a comment - Nice work serg . Always great to see large chunks of packaging script disappear ( https://github.com/mariadb/server/commit/25c6d626570e048fc8ddf1ef500a0c601d8b8a60 ). Trivial, minor, and not without RPM implications, does `./support-files/mysql-log-rotate.sh` need a `su mysql mysql`?
            serg Sergei Golubchik added a comment -

            No, I don't think so. That's the same with Debian — if a script can read /etc/mysql/debian.cnf then it's run as root and that alone is enough. In mysql-log-rotate.sh it looks like it needs to read ~root/.my.cnf, so it's enough too.

            By the way, with mysql user it's somewhat tricky. I didn't dig too deep but the only sudo that I managed to get working was 

            $ sudo sudo -umysql mysql -umysql


            which looks a bit redundant to me. For running as root simple sudo mysql works.

            serg Sergei Golubchik added a comment - No, I don't think so. That's the same with Debian — if a script can read /etc/mysql/debian.cnf then it's run as root and that alone is enough. In mysql-log-rotate.sh it looks like it needs to read ~root/.my.cnf , so it's enough too. By the way, with mysql user it's somewhat tricky. I didn't dig too deep but the only sudo that I managed to get working was $ sudo sudo -umysql mysql -umysql which looks a bit redundant to me. For running as root simple sudo mysql works.
            otto Otto Kekäläinen added a comment -

            Great to see this finally done upstream! A big thank you serg for taking the time to merge it in.

            otto Otto Kekäläinen added a comment - Great to see this finally done upstream! A big thank you serg for taking the time to merge it in.

            People

              serg Sergei Golubchik
              otto Otto Kekäläinen
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.