Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9080

Debian: incorrect empty password check in postinst

    XMLWordPrintable

    Details

    • Sprint:
      10.1.9-2

      Description

      There's this code in debian/mariadb-server-10.1.postinst script:

      # here we check to see if we can connect as root without a password
      # this should catch upgrades from previous versions where the root
      # password wasn't set.  if there is a password, or if the connection
      # fails for any other reason, nothing happens.
      if [ "$1" = "configure" ]; then
             if test_mysql_access; then
                     db_input medium mysql-server/root_password || true
                     db_go
                     db_get mysql-server/root_password && rootpw="$RET"
       
                     if ! set_mysql_rootpw "online"; then
                             password_error="yes"
                     fi
             fi
       
             if [ "$password_error" = "yes" ]; then
                     db_input high mysql-server/error_setting_password || true
                     db_go
             fi
       
             # copy out any mysqld_safe settings
             systemd_conf=/etc/systemd/system/mariadb.service.d/migrated-from-my.cnf-settings.conf
             if [ -x /usr/bin/mariadb-service-convert  -a ! -f "${systemd_conf}" ]; then
                    mkdir -p /etc/systemd/system/mariadb.service.d
                    /usr/bin/mariadb-service-convert > "${systemd_conf}"
             fi
      fi

      The purpose of this code is to check for empty root password, but it is wrong in many regards:

      • it is supposed to be executed against running server, but at this point server should be down, which makes this code no-op
      • if the above is fixed, root password will be requested twice (initial root password request + this one)
      • it asks for a password only once, while "initial root password request" asks twice (password + password verification)
      • it may give false positive if unix socket based authentication is in effect

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              svoj Sergey Vojtovich
              Reporter:
              svoj Sergey Vojtovich
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration