mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-29 02:05:57 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDEV-12484 Enable unix socket authentication by default

Browse source 
Debian part. Do not ask to set a root password,
do not create debian-sys-maint user (but preserve an existing one
on upgrades - user scripts might be relying on it).

Just create an empty /etc/mysql/debian.cnf for --defaults-file not to fail
This commit is contained in:
Sergei Golubchik 2019-02-20 16:39:48 +01:00
parent 132216faf7
commit 7f6d88944c
4 changed files with 17 additions and 167 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
debian/mariadb-server-10.4.README.Debian vendored
View file

@ -2,12 +2,7 @@
=============================
You may never ever delete the mysql user "root". Although it has no password
is set, the unix_auth plugin ensure that it can only be run locally as the root
user. The credentials in /etc/mysql/debian.cnf specify the user are used by the
init scripts to stop the server and perform logrotation. So in most of the
time you can fix the situation by making sure that the /etc/mysql/debian.cnf
file specifies the root user and no password.
This used to be the debian-sys-maint user which is no longer used.
user.
* WHAT TO DO AFTER UPGRADES:
============================
@ -57,7 +52,13 @@ the DB server over the network:
sudo /usr/bin/mysql -e "GRANT ALL ON *.* TO 'USERNAME'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION"
Scripts should run as a user have the required grants and be identified via unix_socket.
Scripts should run as a user have the required grants and be authenticated via
unix_socket.
It is wise to run scripts as the "mysql" system user. Like root,
mysql@localhost is created by default to have all privileges in MariaDB
and to use unix_socket authentication. But scripts running under "mysql"
won't have system-wide root so they won't be able to corrupt your system.
If you are too tired to type the password in every time and unix_socket auth
doesn't suit your needs, you can store it in the file $HOME/.my.cnf. It should
@ -67,18 +68,6 @@ can read it. Every other configuration parameter can be stored there, too.
For more information in the MariaDB manual in/usr/share/doc/mariadb-doc or
https://mariadb.com/kb/en/configuring-mariadb-with-mycnf/.
ATTENTION: It is necessary, that a ~/.my.cnf from root always contains a "user"
line wherever there is a "password" line, else, the Debian maintenance
scripts, that use /etc/mysql/debian.cnf, will use the username
"root" but the password that is in root's .my.cnf. Also note,
that every change you make in the /root/.my.cnf will affect the mysql cron
script, too.
# an example of $HOME/.my.cnf
[client]
user = your-mysql-username
password = enter-your-good-new-password-here
* FURTHER NOTES ON REPLICATION
===============================
If the MySQL server is acting as a replication slave, you should not

31
debian/mariadb-server-10.4.config vendored
View file

@ -12,34 +12,3 @@ if test -n "`which ypwhich 2>/dev/null`" && ypwhich >/dev/null 2>&1; then
db_input high mariadb-server-10.0/nis_warning || true
db_go
fi
# only ask this question on fresh installs, during "reconfiguration" and when
# not upgrading from an existing 5.0 installation.
# there is also an additional check for empty root passwords in the
# postinst script when the tools are available for us to use.
if [ "$1" = "configure" ] && ([ -z "$2" ] && [ ! -e "/var/lib/mysql/debian-5.0.flag" ] ) || [ "$1" = "reconfigure" ]; then
while :; do
RET=""
db_input high mysql-server/root_password || true
db_go
db_get mysql-server/root_password
# if password isn't empty we ask for password verification
if [ -z "$RET" ]; then
db_fset mysql-server/root_password seen false
db_fset mysql-server/root_password_again seen false
break
fi
ROOT_PW="$RET"
db_input high mysql-server/root_password_again || true
db_go
db_get mysql-server/root_password_again
if [ "$RET" == "$ROOT_PW" ]; then
ROOT_PW=''
break
fi
db_fset mysql-server/password_mismatch seen false
db_input critical mysql-server/password_mismatch
db_set mysql-server/root_password ""
db_set mysql-server/root_password_again ""
db_go
done
fi

125
debian/mariadb-server-10.4.postinst vendored
View file

@ -24,47 +24,6 @@ invoke() {
fi
}
MYSQL_BOOTSTRAP="/usr/sbin/mysqld --bootstrap --user=mysql --disable-log-bin --skip-grant-tables --default-storage-engine=myisam"
have_global_priv_table=
set_mysql_rootpw() {
# forget we ever saw the password. don't use reset to keep the seen status
db_set mysql-server/root_password ""
db_set mysql-server/root_password_again ""
tfile=`mktemp`
if [ ! -f "$tfile" ]; then
return 1
fi
cat << EOF > $tfile
USE mysql;
SET sql_log_bin=0;
EOF
if test -n "$have_global_priv_table"; then
cat << EOF >> $tfile
UPDATE global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD("$rootpw")) WHERE user='root';
EOF
else
cat << EOF >> $tfile
UPDATE user SET password=PASSWORD("$rootpw") WHERE user='root';
EOF
fi
cat << EOF >> $tfile
FLUSH PRIVILEGES;
EOF
# this avoids us having to call "test" or "[" on $rootpw
if grep -q 'PASSWORD("")' $tfile; then
retval=0
else
$MYSQL_BOOTSTRAP <$tfile
retval=$?
fi
rm -f $tfile
return $retval
}
case "$1" in
configure)
# This is needed because mysql_install_db removes the pid file in /var/run
@ -161,91 +120,25 @@ EOF
$ERR_LOGGER
set -e
if test -f $mysql_datadir/mysql/global_priv.frm; then
have_global_priv_table=yes
fi
# To avoid downgrades.
touch $mysql_statedir/debian-$VER.flag
## On every reconfiguration the maintenance user is recreated.
#
# - It is easier to regenerate the password every time but as people
# use fancy rsync scripts and file alteration monitors, the existing
# password is used and existing files not touched.
# - The mysqld statement is like that in mysql_install_db because the
# server is not already running. This has some implications:
# - The amount of newlines and semicolons in the query is important!
# - GRANT is not possible with --skip-grant-tables and "INSERT
# (user,host..) VALUES" is not --ansi compliant
# - The echo is just for readability. ash's buildin has no "-e" so use /bin/echo.
# - The Super_priv, Show_db_priv, Create_tmp_table_priv and Lock_tables_priv
# may not be present as old Woody 3.23 databases did not have it and the
# admin might not already have run mysql_upgrade which adds them.
# As the binlog cron scripts to need at least the Super_priv, I do first
# the old query which always succeeds and then the new which may or may not.
# recreate the credentials file if not present or without mysql_upgrade stanza
# On new installations root user can connect via unix_socket.
# But on upgrades, scripts rely on debian-sys-maint user and
# credentials in /etc/mysql/debian.cnf
# All tools use --defaults-file=/etc/mysql/debian.cnf
# And while it's not needed for new installations, we keep using
# --defaults-file option for tools (for the sake of upgrades)
# and thus need /etc/mysql/debian.cnf to exist, even if it's empty.
dc=$mysql_cfgdir/debian.cnf;
if [ -e "$dc" -a -n "`fgrep mysql_upgrade $dc 2>/dev/null`" ]; then
pass="`sed -n 's/^[ ]*password *= *// p' $dc | head -n 1`"
else
pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`;
if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi
umask 066
if [ ! -e "$dc" ]; then
cat /dev/null > $dc
umask 022
echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc
echo "[client]" >>$dc
echo "host = localhost" >>$dc
echo "user = debian-sys-maint" >>$dc
echo "password = $pass" >>$dc
echo "socket = $mysql_rundir/mysqld.sock" >>$dc
echo "[mysql_upgrade]" >>$dc
echo "host = localhost" >>$dc
echo "user = debian-sys-maint" >>$dc
echo "password = $pass" >>$dc
echo "socket = $mysql_rundir/mysqld.sock" >>$dc
echo "basedir = /usr" >>$dc
fi
# If this dir chmod go+w then the admin did it. But this file should not.
# Keep it only root-readable, as it always was
chown 0:0 $dc
chmod 0600 $dc
if test -n "$have_global_priv_table"; then
replace_query=`/bin/echo -e \
"USE mysql;\n" \
"SELECT json_object('access',cast(-1 as unsigned), " \
"'plugin', 'mysql_native_password', " \
"'authentication_string', password('$pass')) INTO @all_privileges;\n"\
"REPLACE global_priv VALUES ('localhost', 'debian-sys-maint', @all_privileges);"`
else
replace_query=`/bin/echo -e \
"USE mysql;\n" \
"SET sql_mode='';\n" \
"REPLACE INTO user SET " \
" host='localhost', user='debian-sys-maint', password=password('$pass'), " \
" Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', " \
" Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', " \
" Process_priv='Y', File_priv='Y', Grant_priv='Y', References_priv='Y', " \
" Index_priv='Y', Alter_priv='Y', Super_priv='Y', Show_db_priv='Y', "\
" Create_tmp_table_priv='Y', Lock_tables_priv='Y', Execute_priv='Y', "\
" Repl_slave_priv='Y', Repl_client_priv='Y', Create_view_priv='Y', "\
" Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y', "\
" Create_user_priv='Y', Event_priv='Y', Trigger_priv='Y',"\
" ssl_cipher='', x509_issuer='', x509_subject='';"`;
fi
db_get mysql-server/root_password && rootpw="$RET"
if ! set_mysql_rootpw; then
db_input high mysql-server/error_setting_password || true
db_go
fi
set +e
echo "$replace_query" | $MYSQL_BOOTSTRAP 2>&1 | $ERR_LOGGER
set -e
# If there is a real AppArmor profile, we reload it.
# If the default empty profile is installed, then we remove any old
# profile that may be loaded.

1
debian/mariadb-server-10.4.preinst vendored
View file

@ -13,7 +13,6 @@ if [ -n "$DEBIAN_SCRIPT_DEBUG" ]; then set -v -x; DEBIAN_SCRIPT_TRACE=1; fi
${DEBIAN_SCRIPT_TRACE:+ echo "#42#DEBUG# RUNNING $0 $*" 1>&2 }
export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin
MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"
mysql_datadir=/var/lib/mysql
mysql_upgradedir=/var/lib/mysql-upgrade