Commit 7f6d8894 authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-12484 Enable unix socket authentication by default

Debian part. Do not ask to set a root password,
do not create debian-sys-maint user (but preserve an existing one
on upgrades - user scripts might be relying on it).

Just create an empty /etc/mysql/debian.cnf for --defaults-file not to fail
parent 132216fa
...@@ -2,12 +2,7 @@ ...@@ -2,12 +2,7 @@
============================= =============================
You may never ever delete the mysql user "root". Although it has no password You may never ever delete the mysql user "root". Although it has no password
is set, the unix_auth plugin ensure that it can only be run locally as the root is set, the unix_auth plugin ensure that it can only be run locally as the root
user. The credentials in /etc/mysql/debian.cnf specify the user are used by the user.
init scripts to stop the server and perform logrotation. So in most of the
time you can fix the situation by making sure that the /etc/mysql/debian.cnf
file specifies the root user and no password.
This used to be the debian-sys-maint user which is no longer used.
* WHAT TO DO AFTER UPGRADES: * WHAT TO DO AFTER UPGRADES:
============================ ============================
...@@ -57,7 +52,13 @@ the DB server over the network: ...@@ -57,7 +52,13 @@ the DB server over the network:
sudo /usr/bin/mysql -e "GRANT ALL ON *.* TO 'USERNAME'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION" sudo /usr/bin/mysql -e "GRANT ALL ON *.* TO 'USERNAME'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION"
Scripts should run as a user have the required grants and be identified via unix_socket. Scripts should run as a user have the required grants and be authenticated via
unix_socket.
It is wise to run scripts as the "mysql" system user. Like root,
mysql@localhost is created by default to have all privileges in MariaDB
and to use unix_socket authentication. But scripts running under "mysql"
won't have system-wide root so they won't be able to corrupt your system.
If you are too tired to type the password in every time and unix_socket auth If you are too tired to type the password in every time and unix_socket auth
doesn't suit your needs, you can store it in the file $HOME/.my.cnf. It should doesn't suit your needs, you can store it in the file $HOME/.my.cnf. It should
...@@ -67,18 +68,6 @@ can read it. Every other configuration parameter can be stored there, too. ...@@ -67,18 +68,6 @@ can read it. Every other configuration parameter can be stored there, too.
For more information in the MariaDB manual in/usr/share/doc/mariadb-doc or For more information in the MariaDB manual in/usr/share/doc/mariadb-doc or
https://mariadb.com/kb/en/configuring-mariadb-with-mycnf/. https://mariadb.com/kb/en/configuring-mariadb-with-mycnf/.
ATTENTION: It is necessary, that a ~/.my.cnf from root always contains a "user"
line wherever there is a "password" line, else, the Debian maintenance
scripts, that use /etc/mysql/debian.cnf, will use the username
"root" but the password that is in root's .my.cnf. Also note,
that every change you make in the /root/.my.cnf will affect the mysql cron
script, too.
# an example of $HOME/.my.cnf
[client]
user = your-mysql-username
password = enter-your-good-new-password-here
* FURTHER NOTES ON REPLICATION * FURTHER NOTES ON REPLICATION
=============================== ===============================
If the MySQL server is acting as a replication slave, you should not If the MySQL server is acting as a replication slave, you should not
......
...@@ -12,34 +12,3 @@ if test -n "`which ypwhich 2>/dev/null`" && ypwhich >/dev/null 2>&1; then ...@@ -12,34 +12,3 @@ if test -n "`which ypwhich 2>/dev/null`" && ypwhich >/dev/null 2>&1; then
db_input high mariadb-server-10.0/nis_warning || true db_input high mariadb-server-10.0/nis_warning || true
db_go db_go
fi fi
# only ask this question on fresh installs, during "reconfiguration" and when
# not upgrading from an existing 5.0 installation.
# there is also an additional check for empty root passwords in the
# postinst script when the tools are available for us to use.
if [ "$1" = "configure" ] && ([ -z "$2" ] && [ ! -e "/var/lib/mysql/debian-5.0.flag" ] ) || [ "$1" = "reconfigure" ]; then
while :; do
RET=""
db_input high mysql-server/root_password || true
db_go
db_get mysql-server/root_password
# if password isn't empty we ask for password verification
if [ -z "$RET" ]; then
db_fset mysql-server/root_password seen false
db_fset mysql-server/root_password_again seen false
break
fi
ROOT_PW="$RET"
db_input high mysql-server/root_password_again || true
db_go
db_get mysql-server/root_password_again
if [ "$RET" == "$ROOT_PW" ]; then
ROOT_PW=''
break
fi
db_fset mysql-server/password_mismatch seen false
db_input critical mysql-server/password_mismatch
db_set mysql-server/root_password ""
db_set mysql-server/root_password_again ""
db_go
done
fi
...@@ -24,47 +24,6 @@ invoke() { ...@@ -24,47 +24,6 @@ invoke() {
fi fi
} }
MYSQL_BOOTSTRAP="/usr/sbin/mysqld --bootstrap --user=mysql --disable-log-bin --skip-grant-tables --default-storage-engine=myisam"
have_global_priv_table=
set_mysql_rootpw() {
# forget we ever saw the password. don't use reset to keep the seen status
db_set mysql-server/root_password ""
db_set mysql-server/root_password_again ""
tfile=`mktemp`
if [ ! -f "$tfile" ]; then
return 1
fi
cat << EOF > $tfile
USE mysql;
SET sql_log_bin=0;
EOF
if test -n "$have_global_priv_table"; then
cat << EOF >> $tfile
UPDATE global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD("$rootpw")) WHERE user='root';
EOF
else
cat << EOF >> $tfile
UPDATE user SET password=PASSWORD("$rootpw") WHERE user='root';
EOF
fi
cat << EOF >> $tfile
FLUSH PRIVILEGES;
EOF
# this avoids us having to call "test" or "[" on $rootpw
if grep -q 'PASSWORD("")' $tfile; then
retval=0
else
$MYSQL_BOOTSTRAP <$tfile
retval=$?
fi
rm -f $tfile
return $retval
}
case "$1" in case "$1" in
configure) configure)
# This is needed because mysql_install_db removes the pid file in /var/run # This is needed because mysql_install_db removes the pid file in /var/run
...@@ -161,91 +120,25 @@ EOF ...@@ -161,91 +120,25 @@ EOF
$ERR_LOGGER $ERR_LOGGER
set -e set -e
if test -f $mysql_datadir/mysql/global_priv.frm; then
have_global_priv_table=yes
fi
# To avoid downgrades. # To avoid downgrades.
touch $mysql_statedir/debian-$VER.flag touch $mysql_statedir/debian-$VER.flag
## On every reconfiguration the maintenance user is recreated. # On new installations root user can connect via unix_socket.
# # But on upgrades, scripts rely on debian-sys-maint user and
# - It is easier to regenerate the password every time but as people # credentials in /etc/mysql/debian.cnf
# use fancy rsync scripts and file alteration monitors, the existing # All tools use --defaults-file=/etc/mysql/debian.cnf
# password is used and existing files not touched. # And while it's not needed for new installations, we keep using
# - The mysqld statement is like that in mysql_install_db because the # --defaults-file option for tools (for the sake of upgrades)
# server is not already running. This has some implications: # and thus need /etc/mysql/debian.cnf to exist, even if it's empty.
# - The amount of newlines and semicolons in the query is important!
# - GRANT is not possible with --skip-grant-tables and "INSERT
# (user,host..) VALUES" is not --ansi compliant
# - The echo is just for readability. ash's buildin has no "-e" so use /bin/echo.
# - The Super_priv, Show_db_priv, Create_tmp_table_priv and Lock_tables_priv
# may not be present as old Woody 3.23 databases did not have it and the
# admin might not already have run mysql_upgrade which adds them.
# As the binlog cron scripts to need at least the Super_priv, I do first
# the old query which always succeeds and then the new which may or may not.
# recreate the credentials file if not present or without mysql_upgrade stanza
dc=$mysql_cfgdir/debian.cnf; dc=$mysql_cfgdir/debian.cnf;
if [ -e "$dc" -a -n "`fgrep mysql_upgrade $dc 2>/dev/null`" ]; then if [ ! -e "$dc" ]; then
pass="`sed -n 's/^[ ]*password *= *// p' $dc | head -n 1`"
else
pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`;
if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi
umask 066
cat /dev/null > $dc cat /dev/null > $dc
umask 022
echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc
echo "[client]" >>$dc
echo "host = localhost" >>$dc
echo "user = debian-sys-maint" >>$dc
echo "password = $pass" >>$dc
echo "socket = $mysql_rundir/mysqld.sock" >>$dc
echo "[mysql_upgrade]" >>$dc
echo "host = localhost" >>$dc
echo "user = debian-sys-maint" >>$dc
echo "password = $pass" >>$dc
echo "socket = $mysql_rundir/mysqld.sock" >>$dc
echo "basedir = /usr" >>$dc
fi fi
# If this dir chmod go+w then the admin did it. But this file should not. # Keep it only root-readable, as it always was
chown 0:0 $dc chown 0:0 $dc
chmod 0600 $dc chmod 0600 $dc
if test -n "$have_global_priv_table"; then
replace_query=`/bin/echo -e \
"USE mysql;\n" \
"SELECT json_object('access',cast(-1 as unsigned), " \
"'plugin', 'mysql_native_password', " \
"'authentication_string', password('$pass')) INTO @all_privileges;\n"\
"REPLACE global_priv VALUES ('localhost', 'debian-sys-maint', @all_privileges);"`
else
replace_query=`/bin/echo -e \
"USE mysql;\n" \
"SET sql_mode='';\n" \
"REPLACE INTO user SET " \
" host='localhost', user='debian-sys-maint', password=password('$pass'), " \
" Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', " \
" Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', " \
" Process_priv='Y', File_priv='Y', Grant_priv='Y', References_priv='Y', " \
" Index_priv='Y', Alter_priv='Y', Super_priv='Y', Show_db_priv='Y', "\
" Create_tmp_table_priv='Y', Lock_tables_priv='Y', Execute_priv='Y', "\
" Repl_slave_priv='Y', Repl_client_priv='Y', Create_view_priv='Y', "\
" Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y', "\
" Create_user_priv='Y', Event_priv='Y', Trigger_priv='Y',"\
" ssl_cipher='', x509_issuer='', x509_subject='';"`;
fi
db_get mysql-server/root_password && rootpw="$RET"
if ! set_mysql_rootpw; then
db_input high mysql-server/error_setting_password || true
db_go
fi
set +e
echo "$replace_query" | $MYSQL_BOOTSTRAP 2>&1 | $ERR_LOGGER
set -e
# If there is a real AppArmor profile, we reload it. # If there is a real AppArmor profile, we reload it.
# If the default empty profile is installed, then we remove any old # If the default empty profile is installed, then we remove any old
# profile that may be loaded. # profile that may be loaded.
......
...@@ -13,7 +13,6 @@ if [ -n "$DEBIAN_SCRIPT_DEBUG" ]; then set -v -x; DEBIAN_SCRIPT_TRACE=1; fi ...@@ -13,7 +13,6 @@ if [ -n "$DEBIAN_SCRIPT_DEBUG" ]; then set -v -x; DEBIAN_SCRIPT_TRACE=1; fi
${DEBIAN_SCRIPT_TRACE:+ echo "#42#DEBUG# RUNNING $0 $*" 1>&2 } ${DEBIAN_SCRIPT_TRACE:+ echo "#42#DEBUG# RUNNING $0 $*" 1>&2 }
export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin
MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"
mysql_datadir=/var/lib/mysql mysql_datadir=/var/lib/mysql
mysql_upgradedir=/var/lib/mysql-upgrade mysql_upgradedir=/var/lib/mysql-upgrade
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment