Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Not a Bug
-
10.4.12
-
None
Description
The description of the default_password_lifetime system variable says the following:
This defines the global password expiration policy. 0 means automatic password expiration is disabled. If the value is a positive integer N, the passwords must be changed every N days. This behavior can be overridden using the password expiration options in ALTER USER.
I would interpret this as meaning: if this system variable's value is non-zero, then password expiration will be enabled by default. However, as far as I can tell, password expiration is never enabled by default.
The value provided by the default_password_lifetime system variable only seems to apply if the PASSWORD EXPIRE DEFAULT clause is provided to the CREATE USER or ALTER USER statements.
We can test this by creating some users, and then querying mysql.global_priv, and then looking at the value of the password_lifetime attribute.
For example, if the PASSWORD EXPIRE DEFAULT clause is provided to the CREATE USER or ALTER USER statement, then the password_lifetime attribute is set, so password expiration is definitely enabled for this user account:
MariaDB [(none)]> SET GLOBAL default_password_lifetime=10; |
Query OK, 0 rows affected (0.000 sec) |
|
MariaDB [(none)]> CREATE USER 'pw_expires_default_clause'@'localhost' PASSWORD EXPIRE DEFAULT; |
Query OK, 0 rows affected (0.001 sec) |
|
MariaDB [(none)]> SELECT JSON_DETAILED(Priv) FROM mysql.global_priv WHERE User = 'pw_expires_default_clause' AND Host = 'localhost'; |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |
| JSON_DETAILED(Priv) |
|
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |
| {
|
"access": 0, |
"plugin": "mysql_native_password", |
"authentication_string": "", |
"password_last_changed": 1582074440, |
"password_lifetime": -1 |
} |
|
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |
1 row in set (0.000 sec) |
But if no PASSWORD EXPIRE ... clause is provided to the CREATE USER or ALTER USER statement, then the password_lifetime attribute is not set, so it seems that password expiration is not enabled for this user account:
MariaDB [(none)]> SET GLOBAL default_password_lifetime=10; |
Query OK, 0 rows affected (0.000 sec) |
|
MariaDB [(none)]> CREATE USER 'pw_expires_no_clause'@'localhost'; |
Query OK, 0 rows affected (0.001 sec) |
|
MariaDB [(none)]> SELECT JSON_DETAILED(Priv) FROM mysql.global_priv WHERE User = 'pw_expires_no_clause' AND Host = 'localhost'; |
+--------------------------------------------------------------------------------------------------------------------------------------+ |
| JSON_DETAILED(Priv) |
|
+--------------------------------------------------------------------------------------------------------------------------------------+ |
| {
|
"access": 0, |
"plugin": "mysql_native_password", |
"authentication_string": "", |
"password_last_changed": 1582074510 |
} |
|
+--------------------------------------------------------------------------------------------------------------------------------------+ |
1 row in set (0.000 sec) |
According to the source code, if the password_lifetime attribute is not set for a given user account, then password expiration is not enabled:
/* the password should never expire */ |
if (!acl_user.password_lifetime) |
return false; |
https://github.com/MariaDB/server/blob/mariadb-10.4.12/sql/sql_acl.cc#L13610
I would think that if the user sets default_password_lifetime to a non-zero value, then they probably want password expiration to be enabled by default. If so, then I think the password_lifetime attribute should be set to -1 if default_password_lifetime is set to a non-zero value and no PASSWORD EXPIRE ... clause is provided.
Is this a bug, or is it working as intended?
Attachments
Issue Links
- relates to
-
MDEV-7597 Expiration of user passwords
- Closed
-
MDEV-18716 Document password expiration
- Closed