In Debian, the default install is made more secure by omitting the anonymous
user and by making the root account authenticate by unix socket
authentication instead of the default password-less root. However, Debian
hard-codes this change in mysql_install_db, which breaks that program for
other users.
This commit instead implements new general options for mysql_install_db that
can be used by anyone to similarly perform a more secure install:
--skip-auth-anonymous-user: omits the anonymous user.
--auth-root-authentication-method=normal: Keeps the existing behaviour
with a password-less root account. Currently on by default.
--auth-root-socket-user=USER
--auth-root-authentication-method=socket: creates the MariaDB root user
with the name USER (defaults to 'root') and using unix socket
authentication. This way, only that user has MariaDB root access
after install.
The idea with --auth-root-authentication-method=normal is that
applications that need this behaviour can give that option explicitly.
Then eventually we could make --auth-root-authentication-method=socket
the default, giving a more secure default installation.
Note that it is perfectly possible to do a secure install with
--auth-root-authentication-method=normal. For example, installing a
private server just for local access by a single OS-level user, by
using --skip-networking and putting the connection socket in a
location without public access. So it is important to preserve this
API for backwards compatibility.
* Out of tree build: mysql_install_db to see all .sql files
Since MDEV-7875 (da0991c6), not all sql source files are in the source
directory, maria_add_gis_sp_bootstrap.sql is in the build directory.
This corrects mysql_install_db{.sh} to be aware of the differing
locations.
Signed-off-by: Daniel Black <daniel.black@au.ibm.com>
* Out of tree build: scripts/mysql_install_db.pl.in
Signed-off-by: Daniel Black <daniel.black@au.ibm.com>
* Fix undefined database test error when running mysql_install_db
When using mariaDb in docker mode it can fail as it calls mysql_install_db but as we are going through a slightly different install process the test database has not been created, therefore we should fall back to the mysql database as per https://mariadb.com/kb/en/mariadb/mariadb-10112-mysql_install_db-aborts-on-unkown-file-test/
* Also fix mysql_install_db.pl.in
- Removed some QQ markers
- Removed some rows not compatible with valgrind 3.9.0
- Made mysql_install_db.sh more silent by default. --verbose now gives more information
- Added assert that auto-increment doesn't generate 0 (safety)
- Removed thd->set_time() in some places as it's set in init_for_queries()
- Fixed some --big tests in tokudb
- Fixed a bug in mysql_client_test.cc where sql_mode was not properly reset
When building RPMs and using the "rpmbuild" automatic scanning for
Perl dependencies, it might interpret "use hostnames" in the
"mysql_config.pl" script usage comment as a Perl "use" statement.
And then makes the resulting RPMs depends on a non-existing module
Perl "hostnames". The comment was changed to prevent this.
MDEV-6281 Typo in mysql_install_db scripts
and collateral changes:
* remove mysql_tableinfo.1 and references to it (there's no mysql_tableinfo)
* for debian: create manpages for mysqlrepair, mysqlanalyze, mysqloptimize
(as symlinks for mysqlcheck.1, just as executables are symlinks to mysqlcheck)
* remove mysqlmanager.8 and references to it
* correct "very long line" error in mysqladmin.1
* simplify and fix table formatting in mysqlbinlog.1 and mysqldump.1
* fix a typo in the help text in mysql_install_db
* aria_chk: say "for Linux on x86_64", like other tools do
(not "for Linux at x86_64")
* add simple manpages for aria_* utilities
mysql_upgrade --help now also prints out --default options and variable values.
mysql_upgrade now prints permission errors.
mysql_upgrade doesn't print some non essential info if --silent is used.
Added handler error message about incompatible versions
Fixed that mysqlbug and mysql_install_db have the executable flag set.
Removed executable flag for some non executable files.
Changed in mysql_install_db askmonty.org to mariadb.com.
Ensured that all client executables prints --default options the same way.
Allow REPAIR ... USE_FRM for old .frm files if the are still compatible.
Extended shown error for storage engine messages.
client/mysql.cc:
print_defaults() should be first (as in all other programs)
client/mysql_upgrade.c:
--help now also prints out --default options and variable values
Print out error if wrong permissions
Don't print info if --silent
client/mysqladmin.cc:
print_defaults() should be first (as in all other programs)
client/mysqlbinlog.cc:
Added print_defaults() to --help
client/mysqlcheck.c:
Added empty line in --help
client/mysqlimport.c:
Added empty line in --help
client/mysqlshow.c:
Made --help compatible
client/mysqlslap.c:
Made --help compatible
client/mysqltest.cc:
Added print_defaults() to --help
include/handler_ername.h:
Added handler error message
include/my_base.h:
Added handler error message
mysql-test/r/mysql_upgrade.result:
Updated results
mysql-test/r/repair.result:
Added test case for better error messages
mysql-test/std_data/host_old.MYD:
Added test case for better error messages
mysql-test/std_data/host_old.MYI:
Added test case for better error messages
mysql-test/std_data/host_old.frm:
Added test case for better error messages
mysql-test/t/repair.test:
Added test case for better error messages
mysys/my_handler_errors.h:
Added handler error message
scripts/CMakeLists.txt:
Fixed that mysqlbug and mysql_install_db have the executable flag set
scripts/mysql_install_db.sh:
askmonty.org -> mariadb.com
sql/ha_partition.cc:
Sometimes table_type() can be called for errors even if partition didn't manage to open any files
sql/handler.cc:
Write clear text for not handled, but defined error messages.
sql/share/errmsg-utf8.txt:
Extended shown error for storage engine messages
sql/sql_admin.cc:
Allow REPAIR ... USE_FRM for old .frm files if the are still compatible
storage/myisam/ha_myisam.cc:
Use new error message
Merge of 10.0-mdev26 feature tree into 10.0-base.
Global transaction ID is prepended to each event group in the binlog.
Slave connect can request to start from GTID position instead of specifying
file name/offset of master binlog. This facilitates easy switch to a new
master.
Slave GTID state is stored in a table mysql.rpl_slave_state, which can be
InnoDB to get crash-safe slave state.
GTID includes a replication domain ID, allowing to keep track of distinct
positions for each of multiple masters.
Moved out creation of performance schema tables from mysql_system_tables.sql as
the performance_tables creation scripts needs a working mysql.proc to work.
client/mysql_upgrade.c:
Added option -V, --version
debian/dist/Debian/mariadb-server-5.5.files:
Added mysql_performance_tables.sql
debian/dist/Ubuntu/mariadb-server-5.5.files:
Added mysql_performance_tables.sql
mysql-test/lib/v1/mysql-test-run.pl:
Added mysql_performance_tables.sql
mysql-test/mysql-test-run.pl:
Added mysql_performance_tables.sql
scripts/CMakeLists.txt:
Moved out creation of performance schema tables from mysql_system_tables.sql
as the performance_tables creation scripts needs a working mysql.proc to work
scripts/mysql_install_db.sh:
Added mysql_performance_tables.sql
scripts/mysql_performance_tables.sql:
Moved out creation of performance schema tables from mysql_system_tables.sql
as the performance_tables creation scripts needs a working mysql.proc to work
scripts/mysql_system_tables.sql:
Move creation of performance schema tables to mysql_performance_tables.sql
Added 'flush tables' to get things to work if someone deletes a table like mysql.proc before run
scripts/mysql_system_tables_fix.sql:
ove performance table things to mysql_performance_tables.sql
storage/perfschema/pfs.cc:
Fixed comment
