[MDEV-12835] Write warning to error log if user's login password is ignored - Jira

XML

Word

Printable

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Fix Version/s: 10.4.0
Component/s: Authentication and Privilege System
Labels:
- authentication
- unix_socket

Description

A user recently found out that the password for his 'root'@'localhost' account was being ignored. It turns out that his build of MariaDB uses unix_socket authentication by default for that user account. However, he was not aware of that, so he still attempted to set a password for this user account. He was also not familiar with the unix_socket plugin, so he was quite confused when he discovered that he could log into MariaDB without supplying a password after he explicitly set one.

The user suggested that it might be worthwhile for the server to throw a warning when a user's provided login password is ignored. For security reasons, it might make sense to only write the warning to the server's error log. Maybe this warning could be toggled on/off based on the value of log_warnings, similar to the other warnings thrown by authentication issues.

I'm not entirely familiar with internals of the authentication plugin API, so I don't know how practical this feature request is with the current implementation.

Attachments

Issue Links

is blocked by

MDEV-12321 authentication plugin: SET PASSWORD support

Closed

relates to

MDEV-17169 password ignored with root login

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2017-05-17 19:41

Updated:: 2020-08-25 16:36

Resolved:: 2018-11-07 07:07

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.