[MDEV-16238] root/localhost authn prioritizes authentication_string over Password Created: 2018-05-21  Updated: 2018-07-19  Resolved: 2018-06-21

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.1, 10.2.15, 10.2, 10.3
Fix Version/s: 10.2.16, 10.3.8

Type: Bug Priority: Critical
Reporter: Felipe Gasper Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-16350 CLONE - root/localhost authn prioriti... Closed
Problem/Incident
causes MDEV-16774 SET PASSWORD and ALTER USER with slig... Closed

 Description    

update mysql.user set authentication_string=password('two') where user='root' and host='localhost';
 
set password for 'root'@'localhost' = password("one");
 
flush privileges;

^^ You’ll be unable to log in as root/localhost after the above using “one” as the password, but “two” will work.

A preexisting authentication_string should not take priority over the result of SET PASSWORD FOR.

This is a problem for installations that are migrated from MySQL 5.7 because these can still have authentication_string values around.

 Comments   
Comment by Elena Stepanova [ 2018-05-29 ]

Thanks for the bug report.

Generated at Thu Feb 08 08:27:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.