MySQL user 'root' without password is fine?!
Robert Scheck
fedora-list.listman at linuxnetz.de
Mon Nov 3 21:58:23 UTC 2003
Hello,
playing around with the latest MySQL from Rawhide, I noticed, that there is
a bug or a problem in the new MySQL init script.
My "problem" was, that I set a password to the MySQL user 'root' and so the
original new init script fails.
I posted that at bugzilla, my posting is closed now, because supposedly all
works fine and it isn't a problem...
I personally think that's a brashness!
It is a pity, that the bugzilla report only can be read by the group
'rhnpm', so I was so free to post it here again ;-)
BTW: The original report was: #108779
If I read all correctly you don't need a password for the MySQL user 'root'
- that's fine and it's no security hole - really nice! :-/
On a test system installed Fedora Core 1 with the actual mysql - NOTHING
changed:
mysql> SELECT HOST,USER,PASSWORD FROM user;
+-------------+------+----------+
| HOST | USER | PASSWORD |
+-------------+------+----------+
| localhost | root | |
| sirendipity | root | |
| localhost | | |
| sirendipity | | |
+-------------+------+----------+
4 rows in set (0.01 sec)
$ netstat -alpen | grep mysql
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 0 346662 19079/mysqld
It's good to know, that here isn't any security problem, too.
10.0.0.2 = sirendipity
# mysql -h 10.0.0.2 -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 3.23.58
So root has still to set a password as you can read it at SecurityFocus:
http://www.securityfocus.com/infocus/1726
I actually interpret the current default configuration of mysql and the
init script absolutely as misconfiguration.
In my eyes NOTHING is okay - that doesn't fit to the other Red Hat security
patches and settings!
So what's up?! Could someone explain me, why with my message so wrongly did
to me?
--- snipp from Bugzilla #108779 ---
Opened by (Robert Scheck) on 2003-11-01 16:56
Description of problem, how reproducible and steps to reproduce:
# service mysqld restart
Stopping MySQL: [ OK ]
Timeout error occurred trying to start MySQL Daemon.
Starting MySQL: [FAILED]
#
It displays only an error, but mysqld lives!
Version-Release number of selected component (if applicable):
mysql-3.23.58-4
Actual results:
If I do a mysqladmin ping at my system I get the following:
# mysqladmin ping
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user: 'root at localhost' (Using password: NO)'
#
I've to use a password:
# mysqladmin -u root -p ping
Enter password:
mysqld is alive
#
Or I've to use the MySQL user:
# mysqladmin -u mysqld ping
mysqld is alive
#
Expected results and additional info:
The error is caused by that section:
> # Spin for a maximum of ten seconds waiting for the server to come up
> if [ $ret -eq 0 ]; then
> for x in 1 2 3 4 5 6 7 8 9 10; do
> if [ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]; then
> break;
> else
> sleep 1;
> fi
> done
> if !([ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]); then
> echo "Timeout error occurred trying to start MySQL Daemon."
> action $"Starting $prog: " /bin/false
> else
> action $"Starting $prog: " /bin/true
> fi
> else
> action $"Starting $prog: " /bin/false
> fi
You can't do that so - you've seen it above!
I added a new init script solving that problem.
And I think it's ugly to use "2> /dev/null" at a Bash script...
---
Additional Comment #1 From Robert Scheck on 2003-11-01 17:02
Created an attachment (id=95652)
Fix for mysqld for /etc/init.d
---
Additional Comment #2 From Kim Ho on 2003-11-03 11:20
I am having problems reproducing this problem.
[root at tomaluk init.d]# service mysqld start
Initializing MySQL database: [ OK ]
Starting MySQL: [ OK ]
[root at tomaluk init.d]# mysqladmin ping
mysqld is alive
[root at tomaluk init.d]#
[root at tomaluk init.d]# service mysqld restart
Stopping MySQL: [ OK ]
Starting MySQL: [ OK ]
[root at tomaluk init.d]# service mysqld stop
Stopping MySQL: [ OK ]
[root at tomaluk init.d]#
The only way I was able to reproduce it was:
mysql> select user,host from user;
+------+----------------------------+
| user | host |
+------+----------------------------+
| | localhost |
| root | localhost |
| | tomaluk.toronto.redhat.com |
| root | tomaluk.toronto.redhat.com |
+------+----------------------------+
4 rows in set (0.00 sec)
mysql> delete from user where user='';
Query OK, 2 rows affected (0.00 sec)
mysql> \q
Bye
[root at tomaluk init.d]# mysqladmin ping
mysqld is alive
[root at tomaluk init.d]# service mysqld restart
Stopping MySQL: [ OK ]
Timeout error occurred trying to start MySQL Daemon.
Starting MySQL: [FAILED]
[root at tomaluk init.d]# mysqladmin -u root ping
mysqld is alive
Please let me know if the users in mysql have been changed. (e.g. the
removal of anonymous users)
---
Additional Comment #3 From Robert Scheck on 2003-11-03 11:37
mysql> select user,host from user;
+---------+-----------+
| user | host |
+---------+-----------+
| root | hurricane |
| | localhost |
+---------+-----------+
Well, I only gave root a password...
And it's correct to give mysql-root a password, because that is explicit
written in the mysql documentation!
---
Additional Comment #4 From Robert Scheck on 2003-11-03 11:45
Have a look to the documentation:
http://www.mysql.de/doc/en/Default_privileges.html
---
Additional Comment #5 From Kim Ho on 2003-11-03 14:05
The defaults work fine.
If you change the settings, then you will have to make the appropriate
changes in the scripts.
---
Additional Comment #6 From Robert Scheck on 2003-11-03 15:38
The default works fine, as long as the admin doesn't change the password
for the mysql root user.
But as described in the MySQL admin documentation, everybody _must_ change
this, in order to close a security hole:
> Because your installation is initially wide open, one of the first
> things you should do is specify a password for the MySQL root user.
> You can do this as follows (note that you specify the password
> using the PASSWORD() function):
> Try mysql -u root. If you are able to connect successfully to the
> server without being asked for a password, you have problems.
> Anyone can connect to your MySQL server as the MySQL root user with
> full privileges! Review the MySQL installation instructions, paying
> particular attention to the item about setting a root password.
One solution would be to create a "dummy" mysql user restricted to
localhost and with no rights.
Another solution would be to remove the new changes and to live without a
check whether the mysql server runs or not.
And could you please remove the binding in bugzilla to the group rhnpm?
Thank you very much. I think that's interesting for other users, too.
---
Additional Comment #7 From Kim Ho on 2003-11-03 15:54
No.. if everyone _HAS TO_ change this, it would have been part of
setting up MySQL.
It is not part of the defaults of MySQL and therefore, we will not be
changing it.
--- snapp from Bugzilla #108779 ---
Yours sincerly,
Robert
More information about the fedora-list
mailing list