Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.2.37, 10.3.28
-
None
-
Centos7 and other linux
Description
During MariaDB 10.2 or 10.3 installation mysql_install_db.sh provides following instructions how to reset root password:
"PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
|
To do so, start the server, then issue the following commands:
|
|
|
'/usr/bin/mysqladmin' -u root password 'new-password'
|
'/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
|
|
|
Alternatively you can run:
|
'/usr/bin/mysql_secure_installation'
|
|
|
which will also give you the option of removing the test
|
databases and anonymous user created by default. This is
|
strongly recommended for production servers."
|
|
|
While mysql_secure_installation works as expected and changes ALL passwords, commands:
|
'/usr/bin/mysqladmin' -u root password 'new-password'
|
'/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
|
|
|
DO NOT change ALL root passwords. Mysql user table after running commands:
|
MariaDB [(none)]> select Host,User,Password from mysql.user;
|
+----------------+------+-------------------------------------------+
|
| Host | User | Password |
|
+----------------+------+-------------------------------------------+
|
| localhost | root | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
|
| server6.tst.lt | root | *4A82FDF1D80BA7470BA2E17FEEFD5A53D5D3B762 |
|
| 127.0.0.1 | root | |
|
| ::1 | root | |
|
| localhost | | |
|
| server6.tst.lt | | |
|
+----------------+------+-------------------------------------------+
|
So even if user follows the provided instruction how to set root password, there is still unprotected root user and it is CRITICAL vulnerability. IMO it is an important and misleading message and must be fixed, by providing instructions that works as expected.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-