[MDEV-9532] Upgrade from galera-server-5.5.46 to galera-server-5.5.47 changes the root password Created: 2016-02-08 Updated: 2020-04-14 Resolved: 2020-04-14 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Authentication and Privilege System, Packaging, Platform Debian |
| Affects Version/s: | 5.5, 10.0, 10.1 |
| Fix Version/s: | N/A |
| Type: | Bug | Priority: | Major |
| Reporter: | Evan Jardine-Skinner | Assignee: | Otto Kekäläinen |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Environment: |
VirtualBox VM running Debian 7 |
||
| Attachments: |
general.basedebian.log.gz
general.clean.log.gz
general.log.gz
|
||||||||
| Issue Links: |
|
||||||||
| Description |
|
I have an install of Debian 7 with mariadb-galera 5.5.46 on it and have set a mysql root password, everything works fine. The folllowing behaviour is the same whether the machine is a standalone mariadb install or it if is clustered. I upgrade to mariadb-galera 5.5.47 (using dpkg directly and upgrading all the pre-reqs as well) and when the DB server restarts at the end of installing the mariadb-galera-5.5 package it changes all the root password lines in the mysql.user table. I was running a loop doing "cat /var/lib/mysql/mysql/user.MYD" and I could see the hash for all the root passwords change as soon as mysql started. This obviously leaves me unable to login to the DB as root. If I save the user.MYD file away, run the install and then put the old user.MYD back in place then I can use my root password to access the DB and further restarts of mariadb do NOT change the root password. Is there some flag I can pass to dpkg when it installs mariadb-galera-5.5 so that the root password does not get changed? |
| Comments |
| Comment by Elena Stepanova [ 2016-02-11 ] | ||||
|
Ev, Could you please enable general log in your config file before the upgrade, e.g.
then run the upgrade and attach the log? If it happens to have password values that you don't want to make public, you can obfuscate them, but we need to see the exact command that is executed. Upgrade is not supposed to do that, no flags should be necessary. | ||||
| Comment by Evan Jardine-Skinner [ 2016-02-12 ] | ||||
|
Attached: general.log.tz I'm afraid it doesn't look useful though. I see no queries affecting the user table and then as soon as version 5.5.47 starts I can see my automated processes getting a failed login for the root user: 50 Shutdown I will try this on a vanilla Debian 7 machine too and ensure I see the same behaviour. | ||||
| Comment by Evan Jardine-Skinner [ 2016-02-12 ] | ||||
|
Attached general.clean.log.gz which has all the automated process that access mysql turned off so the log is cleaner. Still the same result for me although you don;t see the mysql root user login failure until the end of the log file as that is when I tried to login manually. On a basic Debian 7 install, upgrading from mariadb 5.5.46 to 5.5.47 I cannot reproduce the problem and the root password stay intact. I will generate some logs for that too. | ||||
| Comment by Evan Jardine-Skinner [ 2016-02-12 ] | ||||
|
Attached general.basedebian.log.gz which shows the upgrade from 5.5.46 to 5.5.47 on a fresh Debian 7 install. Both the install that fail on the other VM and this install have /root/.my.cnf file with the root user name and password in it. There is not much difference between the log output, but the base Debian 7 install does not reset the root password. Is there any other logging that can be turned on? | ||||
| Comment by Elena Stepanova [ 2016-02-12 ] | ||||
|
Ev, Does the problem happen if you use apt-get rather than direct dpkg? It would be much easier to investigate if we had access to the VM where you experience the issue, do you think you could arrange that? If it's possible, my public ssh key is here: https://launchpad.net/~elenst/+sshkeys | ||||
| Comment by Evan Jardine-Skinner [ 2016-02-16 ] | ||||
|
It still happened using apt-get! I figured there could not be that many places in the mariadb source that were writing new root passwords, so I went looking for them and I found: debian/dist/Debian/mariadb-server-5.5.postinst contains: db_get mysql-server/root_password && rootpw="$RET" So it appears that upgrading mariadb goes and resets the root password to the one stored by debconf-set-selections at original install time. On my machine I has since changed that password thus my problem when the mariadb install reset it for me! So I have a better solution now than saving away the user table!! I can just ensure that the root password in the debconf database is set correctly before I upgrade mariadb, or maybe I can null it out and it will get ignored. I'll try that. Is this really working as designed though? | ||||
| Comment by Evan Jardine-Skinner [ 2016-02-16 ] | ||||
|
Simply removing the password from the debconf database (which for security is no bad thing of course) fixes the problem. | ||||
| Comment by Elena Stepanova [ 2016-02-22 ] | ||||
|
Indeed, it's reproducible for me too – if you change the password in debconf-set-selections, it's picked up by upgrade. Now, I am no expert in Debian tricks, so I don't know if it's supposed to be so. As a user, I would expect the setting from debconf-set-selections to be used when (and only when) a user would otherwise see the dialog screen inviting for the password; but apparently it's not so – if the password has already been set, the dialog does not appear upon upgrade, but the password from debconf is still used. I'll assign it to otto who is the expert to give his opinion. However, I'm not sure it needs to be fixed – as I understand, otto is anyway getting rid of this password setting upon installation, replacing it with socket authentication, for now in Debian packages, and I suppose sooner or later it will get to MariaDB packages as well. | ||||
| Comment by Otto Kekäläinen [ 2016-11-25 ] | ||||
|
This might be related to | ||||
| Comment by Otto Kekäläinen [ 2020-04-14 ] | ||||
|
I am closing this as "Won't fix" since we have had passwordless unix socket authentication since 10.4 and that is the "real" solution to get rid of password management in Debian maintainer scripts completely. |