Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26593

Replace mysql_secure_installation with a notice that it is useless

Details

    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      Due to historical reasons, a lot of people have learnt that running mysql_secure_installation after installing MySQL is a good routine.

      In reality mysql_secure_installation has been useless for years.

      • It removes anonymous users – but the default MariaDB installation has none
      • It removes the tmp database – but the default MariaDB installation has none
      • It sets a root password and writes it into my.cnf – which makes the security posture worse compared to a default MariaDB installation with pure unix socket authentication and now passwords that could leak or be guessed
      • It removes remote root access account – but those don't have any access in a default MariaDB installation, and remote root is the only reason one would ever want to have a root password at all, so the script is just silly now

      It would be better to remove the whole thing and just replace it with a notice "The command mysql_secure_installation has been deprecated – MariaDB is secure by default and there are no actions that need to be taken after installing MariaDB. This script does not improve the security of MariaDB at all."

      Looking at the history of the script nobody has ever stopped to think does it make any sense at all nowadays: https://github.com/MariaDB/server/commits/193bfdd831bbbf65e74acd12baf691d4305e3c11/scripts/mysql_secure_installation.sh

      In the past 10 years nobody has done anything to improve the security features, all commits are pure bug fixes. And there is still more bugfixes needed to make it fully work:

      Rather than invest time in fixing bugs in a script that is useless, just get rid of the script that is only misleading users and replace it with a notice so users can unlearn from the routine of having to run it.

      Attachments

        Issue Links

          Activity

            luke.smith Luke (Inactive) added a comment - - edited

            This isn't entirely true, a fresh install will prove differently.

            [root@db01 ~]# mariadb -A
            Welcome to the MariaDB monitor. Commands end with ; or \g.
            Your MariaDB connection id is 3
            Server version: 10.7.3-MariaDB MariaDB Server

            Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

            Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

            MariaDB [(none)]> select user,host from mysql.user;
            ----------------------+

            User Host

            ----------------------+

              db01
              localhost
            mariadb.sys localhost
            mysql localhost
            root localhost

            ----------------------+
            5 rows in set (0.003 sec)

            MariaDB [(none)]> show databases;
            --------------------

            Database

            --------------------

            information_schema
            mysql
            performance_schema
            sys
            test

            --------------------
            5 rows in set (0.001 sec)

            luke.smith Luke (Inactive) added a comment - - edited This isn't entirely true, a fresh install will prove differently. [root@db01 ~] # mariadb -A Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.7.3-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)] > select user,host from mysql.user; ------------ ----------+ User Host ------------ ----------+   db01   localhost mariadb.sys localhost mysql localhost root localhost ------------ ----------+ 5 rows in set (0.003 sec) MariaDB [(none)] > show databases; -------------------- Database -------------------- information_schema mysql performance_schema sys test -------------------- 5 rows in set (0.001 sec)
            danblack Daniel Black added a comment - - edited

            I do share the exasperation of its excessive use (like FLUSH PRIVILEGES everywhere). I even had to add add a notice in the docker library entrypoint for mariadb based on user misinformatio.

            Writing descriptions (like MDEV-27613) for upgrade and other packaging things does add to the harmful perception.

            It removes anonymous users – but the default MariaDB installation has none

            It removes the test database – but the default MariaDB installation has none

            You are right for Debian, and rpm packages. Possibly some other distros. Notably as luke.smith showed earlier anonymous user and test database is there. When installed using mysql_install_db --auth-root-authentication-method=normal is the case where the option where mysql_secure_installation is "strongly recommended".

            anel and I did get to writing a large amount of mysql_secure_installation fixes latest year, which addresses some issues, but others like writing temporary config file containing the password, like mysql_upgrade, isn't done. It stalled because it just because too big a change to be considered stable. Constraints like not-bash means that work arounds like this (before or after implementation), and a few other scripting constructs aren't as easy.

            Maybe as an option we should revert to a server assisted implementation as an installed stored procedure and cut back mysql_install_db to calling it rather than trying to do it all in shell.

            I don't think we can totally drop it as "this is useless", but we could advice use the user like "unless you have done mysql_install_db --auth-root-authentication-method=normal, or have set a weak root password", your system is already secure." (+ maybe something around skip-test-db because that isn't default).

            danblack Daniel Black added a comment - - edited I do share the exasperation of its excessive use (like FLUSH PRIVILEGES everywhere ). I even had to add add a notice in the docker library entrypoint for mariadb based on user misinformatio . Writing descriptions (like MDEV-27613 ) for upgrade and other packaging things does add to the harmful perception. It removes anonymous users – but the default MariaDB installation has none It removes the test database – but the default MariaDB installation has none You are right for Debian, and rpm packages. Possibly some other distros. Notably as luke.smith showed earlier anonymous user and test database is there. When installed using mysql_install_db --auth-root-authentication-method=normal is the case where the option where mysql_secure_installation is "strongly recommended". anel and I did get to writing a large amount of mysql_secure_installation fixes latest year, which addresses some issues, but others like writing temporary config file containing the password, like mysql_upgrade , isn't done. It stalled because it just because too big a change to be considered stable. Constraints like not-bash means that work arounds like this (before or after implementation), and a few other scripting constructs aren't as easy. Maybe as an option we should revert to a server assisted implementation as an installed stored procedure and cut back mysql_install_db to calling it rather than trying to do it all in shell. I don't think we can totally drop it as "this is useless", but we could advice use the user like "unless you have done mysql_install_db --auth-root-authentication-method=normal, or have set a weak root password", your system is already secure." (+ maybe something around skip-test-db because that isn't default).
            greenman Ian Gilfillan added a comment -

            danblack's suggestion to advise the user when running it seems to make sense.

            greenman Ian Gilfillan added a comment - danblack 's suggestion to advise the user when running it seems to make sense.

            People

              Unassigned Unassigned
              otto Otto Kekäläinen
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.