Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25318

mysql_install_db.sh wrong instructions on how to set root password leading to passwordless root account.

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 10.2.37, 10.3.28
    • N/A
    • Scripts & Clients
    • None
    • Centos7 and other linux

    Description

      During MariaDB 10.2 or 10.3 installation mysql_install_db.sh provides following instructions how to reset root password:

      "PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
      To do so, start the server, then issue the following commands:
       
      '/usr/bin/mysqladmin' -u root password 'new-password'
      '/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
       
      Alternatively you can run:
      '/usr/bin/mysql_secure_installation'
       
      which will also give you the option of removing the test
      databases and anonymous user created by default.  This is
      strongly recommended for production servers."
       
      While mysql_secure_installation works as expected and changes ALL passwords, commands:
      '/usr/bin/mysqladmin' -u root password 'new-password'
      '/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
       
      DO NOT change ALL root passwords. Mysql user table after running commands:
      MariaDB [(none)]> select Host,User,Password from mysql.user;
      +----------------+------+-------------------------------------------+
      | Host           | User | Password                                  |
      +----------------+------+-------------------------------------------+
      | localhost      | root | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
      | server6.tst.lt | root | *4A82FDF1D80BA7470BA2E17FEEFD5A53D5D3B762 |
      | 127.0.0.1      | root |                                           |
      | ::1            | root |                                           |
      | localhost      |      |                                           |
      | server6.tst.lt |      |                                           |
      +----------------+------+-------------------------------------------+
      

      So even if user follows the provided instruction how to set root password, there is still unprotected root user and it is CRITICAL vulnerability. IMO it is an important and misleading message and must be fixed, by providing instructions that works as expected.

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              wyckaoo Vytautas Bertasius
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.