[MDEV-9080] Debian: incorrect empty password check in postinst Created: 2015-11-04  Updated: 2015-11-06  Resolved: 2015-11-06

Status: Closed
Project: MariaDB Server
Component/s: Packaging, Platform Debian
Affects Version/s: 5.5, 10.0, 10.1
Fix Version/s: 10.1.9

Type: Bug Priority: Major
Reporter: Sergey Vojtovich Assignee: Sergey Vojtovich
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-8437 plugin variables conflict with bootst... Closed
Sprint: 10.1.9-2

 Description   

There's this code in debian/mariadb-server-10.1.postinst script:

# here we check to see if we can connect as root without a password
 
# this should catch upgrades from previous versions where the root
 
# password wasn't set.  if there is a password, or if the connection
 
# fails for any other reason, nothing happens.
 
if [ "$1" = "configure" ]; then
 
       if test_mysql_access; then
 
               db_input medium mysql-server/root_password || true
 
               db_go
 
               db_get mysql-server/root_password && rootpw="$RET"
 
 
 
               if ! set_mysql_rootpw "online"; then
 
                       password_error="yes"
 
               fi
 
       fi
 
 
 
       if [ "$password_error" = "yes" ]; then
 
               db_input high mysql-server/error_setting_password || true
 
               db_go
 
       fi
 
 
 
       # copy out any mysqld_safe settings
 
       systemd_conf=/etc/systemd/system/mariadb.service.d/migrated-from-my.cnf-settings.conf
 
       if [ -x /usr/bin/mariadb-service-convert  -a ! -f "${systemd_conf}" ]; then
 
              mkdir -p /etc/systemd/system/mariadb.service.d
 
              /usr/bin/mariadb-service-convert > "${systemd_conf}"
 
       fi
 
fi

The purpose of this code is to check for empty root password, but it is wrong in many regards:

  • it is supposed to be executed against running server, but at this point server should be down, which makes this code no-op
  • if the above is fixed, root password will be requested twice (initial root password request + this one)
  • it asks for a password only once, while "initial root password request" asks twice (password + password verification)
  • it may give false positive if unix socket based authentication is in effect

 Comments   
Comment by Sergey Vojtovich [ 2015-11-04 ]

serg, looks like this didn't work even in 5.1. Should we remove this (really trivial) or attempt to fix it (this will take some time for testing).

Comment by Sergei Golubchik [ 2015-11-04 ]

I'd remove it.

Comment by Sergey Vojtovich [ 2015-11-04 ]

serg, please review fix for this bug.

Comment by Sergey Vojtovich [ 2015-11-04 ]

Relevant revision is 2ef562d.

Comment by Sergey Vojtovich [ 2015-11-05 ]

Added to 10.1.9-2 as it was originally planned.

Generated at Thu Feb 08 07:31:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.