Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.2.37, 10.3.28
-
None
-
Centos7 and other linux
Description
During MariaDB 10.2 or 10.3 installation mysql_install_db.sh provides following instructions how to reset root password:
"PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
|
To do so, start the server, then issue the following commands:
|
|
|
'/usr/bin/mysqladmin' -u root password 'new-password'
|
'/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
|
|
|
Alternatively you can run:
|
'/usr/bin/mysql_secure_installation'
|
|
|
which will also give you the option of removing the test
|
databases and anonymous user created by default. This is
|
strongly recommended for production servers."
|
|
|
While mysql_secure_installation works as expected and changes ALL passwords, commands:
|
'/usr/bin/mysqladmin' -u root password 'new-password'
|
'/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
|
|
|
DO NOT change ALL root passwords. Mysql user table after running commands:
|
MariaDB [(none)]> select Host,User,Password from mysql.user;
|
+----------------+------+-------------------------------------------+
|
| Host | User | Password |
|
+----------------+------+-------------------------------------------+
|
| localhost | root | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
|
| server6.tst.lt | root | *4A82FDF1D80BA7470BA2E17FEEFD5A53D5D3B762 |
|
| 127.0.0.1 | root | |
|
| ::1 | root | |
|
| localhost | | |
|
| server6.tst.lt | | |
|
+----------------+------+-------------------------------------------+
|
So even if user follows the provided instruction how to set root password, there is still unprotected root user and it is CRITICAL vulnerability. IMO it is an important and misleading message and must be fixed, by providing instructions that works as expected.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Priority | Blocker [ 1 ] | Major [ 3 ] |
| Description |
During MariaDB 10.2 or 10.3 installation mysql_install_db.sh provides following instructions how to reset root password:
"PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER ! To do so, start the server, then issue the following commands: '/usr/bin/mysqladmin' -u root password 'new-password' '/usr/bin/mysqladmin' -u root -h hostname password 'new-password' Alternatively you can run: '/usr/bin/mysql_secure_installation' which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers." While mysql_secure_installation works as expected and changes ALL passwords, commands: '/usr/bin/mysqladmin' -u root password 'new-password' '/usr/bin/mysqladmin' -u root -h hostname password 'new-password' DO NOT change ALL root passwords. Mysql user table after running commands: MariaDB [(none)]> select Host,User,Password from mysql.user; +----------------+------+-------------------------------------------+ | Host | User | Password | +----------------+------+-------------------------------------------+ | localhost | root | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | | server6.tst.lt | root | *4A82FDF1D80BA7470BA2E17FEEFD5A53D5D3B762 | | 127.0.0.1 | root | | | ::1 | root | | | localhost | | | | server6.tst.lt | | | +----------------+------+-------------------------------------------+ So even if user follows the provided instruction how to set root password, there is still unprotected root user and it is CRITICAL vulnerability. IMO it is an important and misleading message and must be fixed, by providing instructions that works as expected. |
During MariaDB 10.2 or 10.3 installation mysql_install_db.sh provides following instructions how to reset root password:
{noformat} "PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER ! To do so, start the server, then issue the following commands: '/usr/bin/mysqladmin' -u root password 'new-password' '/usr/bin/mysqladmin' -u root -h hostname password 'new-password' Alternatively you can run: '/usr/bin/mysql_secure_installation' which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers." While mysql_secure_installation works as expected and changes ALL passwords, commands: '/usr/bin/mysqladmin' -u root password 'new-password' '/usr/bin/mysqladmin' -u root -h hostname password 'new-password' DO NOT change ALL root passwords. Mysql user table after running commands: MariaDB [(none)]> select Host,User,Password from mysql.user; +----------------+------+-------------------------------------------+ | Host | User | Password | +----------------+------+-------------------------------------------+ | localhost | root | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | | server6.tst.lt | root | *4A82FDF1D80BA7470BA2E17FEEFD5A53D5D3B762 | | 127.0.0.1 | root | | | ::1 | root | | | localhost | | | | server6.tst.lt | | | +----------------+------+-------------------------------------------+ {noformat} So even if user follows the provided instruction how to set root password, there is still unprotected root user and it is CRITICAL vulnerability. IMO it is an important and misleading message and must be fixed, by providing instructions that works as expected. |
Oh. Sorry. Following your email I've created an MDEV-25326 about it, I didn't know you've already done it.
| Link |
This issue is duplicated by |
| Fix Version/s | N/A [ 14700 ] | |
| Resolution | Duplicate [ 3 ] | |
| Status | Open [ 1 ] | Closed [ 6 ] |
| Assignee | Sergei Golubchik [ serg ] |
| Workflow | MariaDB v3 [ 120679 ] | MariaDB v4 [ 159106 ] |
Many years ago MySQL was creating only two root users(root@localhost, root@hostname), e.g.
https://github.com/MariaDB/server/blob/307b7e85af741dd15af2a300b3344642dfa75d14/scripts/mysql_install_db.sh
And had the same recommendations how to change password during installation and it was correct at that time. But at some point it started to add more user(root@127.0.0.1, root@::1,), e,g.: https://github.com/MariaDB/server/blob/10.3/scripts/mysql_system_tables_data.sql
But recommendations on how to set root password during installation remained the same(https://github.com/MariaDB/server/blob/10.3/scripts/mysql_install_db.sh). And now it is misleading and dangerous. My suggestion is to remove recomendation set root password using these commands:
'/usr/bin/mysqladmin' -u root password 'new-password'
'/usr/bin/mysqladmin' -u root -h hostname password 'new-password'