Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25318

mysql_install_db.sh wrong instructions on how to set root password leading to passwordless root account.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.2.37, 10.3.28
    • Fix Version/s: N/A
    • Component/s: Scripts & Clients
    • Labels:
      None
    • Environment:
      Centos7 and other linux

      Description

      During MariaDB 10.2 or 10.3 installation mysql_install_db.sh provides following instructions how to reset root password:

      "PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
      To do so, start the server, then issue the following commands:
       
      '/usr/bin/mysqladmin' -u root password 'new-password'
      '/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
       
      Alternatively you can run:
      '/usr/bin/mysql_secure_installation'
       
      which will also give you the option of removing the test
      databases and anonymous user created by default.  This is
      strongly recommended for production servers."
       
      While mysql_secure_installation works as expected and changes ALL passwords, commands:
      '/usr/bin/mysqladmin' -u root password 'new-password'
      '/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
       
      DO NOT change ALL root passwords. Mysql user table after running commands:
      MariaDB [(none)]> select Host,User,Password from mysql.user;
      +----------------+------+-------------------------------------------+
      | Host           | User | Password                                  |
      +----------------+------+-------------------------------------------+
      | localhost      | root | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
      | server6.tst.lt | root | *4A82FDF1D80BA7470BA2E17FEEFD5A53D5D3B762 |
      | 127.0.0.1      | root |                                           |
      | ::1            | root |                                           |
      | localhost      |      |                                           |
      | server6.tst.lt |      |                                           |
      +----------------+------+-------------------------------------------+
      

      So even if user follows the provided instruction how to set root password, there is still unprotected root user and it is CRITICAL vulnerability. IMO it is an important and misleading message and must be fixed, by providing instructions that works as expected.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              wyckaoo Vytautas Bertasius
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration