Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26593

Replace mysql_secure_installation with a notice that it is useless

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Due to historical reasons, a lot of people have learnt that running mysql_secure_installation after installing MySQL is a good routine.

      In reality mysql_secure_installation has been useless for years.

      • It removes anonymous users – but the default MariaDB installation has none
      • It removes the tmp database – but the default MariaDB installation has none
      • It sets a root password and writes it into my.cnf – which makes the security posture worse compared to a default MariaDB installation with pure unix socket authentication and now passwords that could leak or be guessed
      • It removes remote root access account – but those don't have any access in a default MariaDB installation, and remote root is the only reason one would ever want to have a root password at all, so the script is just silly now

      It would be better to remove the whole thing and just replace it with a notice "The command mysql_secure_installation has been deprecated – MariaDB is secure by default and there are no actions that need to be taken after installing MariaDB. This script does not improve the security of MariaDB at all."

      Looking at the history of the script nobody has ever stopped to think does it make any sense at all nowadays: https://github.com/MariaDB/server/commits/193bfdd831bbbf65e74acd12baf691d4305e3c11/scripts/mysql_secure_installation.sh

      In the past 10 years nobody has done anything to improve the security features, all commits are pure bug fixes. And there is still more bugfixes needed to make it fully work:

      Rather than invest time in fixing bugs in a script that is useless, just get rid of the script that is only misleading users and replace it with a notice so users can unlearn from the routine of having to run it.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              otto Otto Kekäläinen
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.