Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5(EOL), 10.0(EOL), 10.1(EOL)
-
None
-
10.1.9-2
Description
There's this code in debian/mariadb-server-10.1.postinst script:
# here we check to see if we can connect as root without a password
|
# this should catch upgrades from previous versions where the root
|
# password wasn't set. if there is a password, or if the connection
|
# fails for any other reason, nothing happens.
|
if [ "$1" = "configure" ]; then
|
if test_mysql_access; then
|
db_input medium mysql-server/root_password || true
|
db_go
|
db_get mysql-server/root_password && rootpw="$RET"
|
|
|
if ! set_mysql_rootpw "online"; then
|
password_error="yes"
|
fi
|
fi
|
|
|
if [ "$password_error" = "yes" ]; then
|
db_input high mysql-server/error_setting_password || true
|
db_go
|
fi
|
|
|
# copy out any mysqld_safe settings
|
systemd_conf=/etc/systemd/system/mariadb.service.d/migrated-from-my.cnf-settings.conf
|
if [ -x /usr/bin/mariadb-service-convert -a ! -f "${systemd_conf}" ]; then
|
mkdir -p /etc/systemd/system/mariadb.service.d
|
/usr/bin/mariadb-service-convert > "${systemd_conf}"
|
fi
|
fi
|
The purpose of this code is to check for empty root password, but it is wrong in many regards:
- it is supposed to be executed against running server, but at this point server should be down, which makes this code no-op
- if the above is fixed, root password will be requested twice (initial root password request + this one)
- it asks for a password only once, while "initial root password request" asks twice (password + password verification)
- it may give false positive if unix socket based authentication is in effect
Attachments
Issue Links
- relates to
-
-
- Closed
-
- links to