[MDEV-25318] mysql_install_db.sh wrong instructions on how to set root password leading to passwordless root account. Created: 2021-04-01  Updated: 2021-04-01  Resolved: 2021-04-01

Status: Closed
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 10.2.37, 10.3.28
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Vytautas Bertasius Assignee: Sergei Golubchik
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Centos7 and other linux

Issue Links:
Duplicate
is duplicated by MDEV-25326 mysql_install_db help text incomplete Closed

 Description   

During MariaDB 10.2 or 10.3 installation mysql_install_db.sh provides following instructions how to reset root password:

"PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
 
To do so, start the server, then issue the following commands:
 
 
 
'/usr/bin/mysqladmin' -u root password 'new-password'
 
'/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
 
 
 
Alternatively you can run:
 
'/usr/bin/mysql_secure_installation'
 
 
 
which will also give you the option of removing the test
 
databases and anonymous user created by default.  This is
 
strongly recommended for production servers."
 
 
 
While mysql_secure_installation works as expected and changes ALL passwords, commands:
 
'/usr/bin/mysqladmin' -u root password 'new-password'
 
'/usr/bin/mysqladmin' -u root -h hostname password 'new-password'
 
 
 
DO NOT change ALL root passwords. Mysql user table after running commands:
 
MariaDB [(none)]> select Host,User,Password from mysql.user;
 
+----------------+------+-------------------------------------------+
 
| Host           | User | Password                                  |
 
+----------------+------+-------------------------------------------+
 
| localhost      | root | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
 
| server6.tst.lt | root | *4A82FDF1D80BA7470BA2E17FEEFD5A53D5D3B762 |
 
| 127.0.0.1      | root |                                           |
 
| ::1            | root |                                           |
 
| localhost      |      |                                           |
 
| server6.tst.lt |      |                                           |
 
+----------------+------+-------------------------------------------+

So even if user follows the provided instruction how to set root password, there is still unprotected root user and it is CRITICAL vulnerability. IMO it is an important and misleading message and must be fixed, by providing instructions that works as expected.



 Comments   
Comment by Vytautas Bertasius [ 2021-04-01 ]

Many years ago MySQL was creating only two root users(root@localhost, root@hostname), e.g.
https://github.com/MariaDB/server/blob/307b7e85af741dd15af2a300b3344642dfa75d14/scripts/mysql_install_db.sh

And had the same recommendations how to change password during installation and it was correct at that time. But at some point it started to add more user(root@127.0.0.1, root@::1,), e,g.: https://github.com/MariaDB/server/blob/10.3/scripts/mysql_system_tables_data.sql

But recommendations on how to set root password during installation remained the same(https://github.com/MariaDB/server/blob/10.3/scripts/mysql_install_db.sh). And now it is misleading and dangerous. My suggestion is to remove recomendation set root password using these commands:
'/usr/bin/mysqladmin' -u root password 'new-password'
'/usr/bin/mysqladmin' -u root -h hostname password 'new-password'

Comment by Sergei Golubchik [ 2021-04-01 ]

Oh. Sorry. Following your email I've created an MDEV-25326 about it, I didn't know you've already done it.

Generated at Thu Feb 08 09:36:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.