summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorKristian Nielsen <knielsen@knielsen-hq.org>2017-01-13 11:25:38 +0100
committerKristian Nielsen <knielsen@knielsen-hq.org>2017-01-17 17:13:14 +0100
commit736afe868094b9aa24211c3772fb3b297d62d8fc (patch)
tree4ea1d67657bf3bad943fe40040a912a9f6dc3402 /debian
parent719e81132d071ade354b887fe80cd2daabc045e7 (diff)
downloadmariadb-git-736afe868094b9aa24211c3772fb3b297d62d8fc.tar.gz
mysql_install_db enhancements to facilitate Debian bug#848616 fix
In Debian, the default install is made more secure by omitting the anonymous user and by making the root account authenticate by unix socket authentication instead of the default password-less root. However, Debian hard-codes this change in mysql_install_db, which breaks that program for other users. This commit instead implements new general options for mysql_install_db that can be used by anyone to similarly perform a more secure install: --skip-auth-anonymous-user: omits the anonymous user. --auth-root-authentication-method=normal: Keeps the existing behaviour with a password-less root account. Currently on by default. --auth-root-socket-user=USER --auth-root-authentication-method=socket: creates the MariaDB root user with the name USER (defaults to 'root') and using unix socket authentication. This way, only that user has MariaDB root access after install. The idea with --auth-root-authentication-method=normal is that applications that need this behaviour can give that option explicitly. Then eventually we could make --auth-root-authentication-method=socket the default, giving a more secure default installation. Note that it is perfectly possible to do a secure install with --auth-root-authentication-method=normal. For example, installing a private server just for local access by a single OS-level user, by using --skip-networking and putting the connection socket in a location without public access. So it is important to preserve this API for backwards compatibility.
Diffstat (limited to 'debian')
-rwxr-xr-xdebian/patches/33_scripts__mysql_create_system_tables__no_test.dpatch24
1 files changed, 12 insertions, 12 deletions
diff --git a/debian/patches/33_scripts__mysql_create_system_tables__no_test.dpatch b/debian/patches/33_scripts__mysql_create_system_tables__no_test.dpatch
index 6547e4434f1..183212ef678 100755
--- a/debian/patches/33_scripts__mysql_create_system_tables__no_test.dpatch
+++ b/debian/patches/33_scripts__mysql_create_system_tables__no_test.dpatch
@@ -8,8 +8,8 @@
## DP: http://bugs.mysql.com/bug.php?id=6901
@DPATCH@
---- old/scripts/mysql_system_tables_data.sql 2008-12-04 22:59:44.000000000 +0100
-+++ new/scripts/mysql_system_tables_data.sql 2008-12-04 23:00:07.000000000 +0100
+--- a/scripts/mysql_system_tables_data.sql
++++ b/scripts/mysql_system_tables_data.sql
@@ -26,16 +26,6 @@
-- a plain character
SELECT LOWER( REPLACE((SELECT REPLACE(@@hostname,'_','\_')),'%','\%') )INTO @current_hostname;
@@ -26,14 +26,14 @@
-
-- Fill "user" table with default users allowing root access
-- from local machine if "user" table didn't exist before
- CREATE TEMPORARY TABLE tmp_user LIKE user;
-@@ -43,8 +33,6 @@ INSERT INTO tmp_user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','
- REPLACE INTO tmp_user SELECT @current_hostname,'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N','',0 FROM dual WHERE @current_hostname != 'localhost';
- REPLACE INTO tmp_user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N','',0);
- REPLACE INTO tmp_user VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N', '', 0);
--INSERT INTO tmp_user (host,user) VALUES ('localhost','');
--INSERT INTO tmp_user (host,user) SELECT @current_hostname,'' FROM dual WHERE @current_hostname != 'localhost';
- INSERT INTO user SELECT * FROM tmp_user WHERE @had_user_table=0;
- DROP TABLE tmp_user;
+ CREATE TEMPORARY TABLE tmp_user_nopasswd LIKE user;
+@@ -48,9 +38,6 @@ REPLACE INTO tmp_user_nopasswd VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y'
+ REPLACE INTO tmp_user_nopasswd VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'','','N','N', '', 0);
+ -- More secure root account using unix sucket auth.
+ INSERT INTO tmp_user_socket VALUES ('localhost',IFNULL(@auth_root_socket, 'root'),'','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'unix_socket','','N', 'N','', 0);
+--- Anonymous user with no privileges.
+-INSERT INTO tmp_user_anonymous (host,user) VALUES ('localhost','');
+-INSERT INTO tmp_user_anonymous (host,user) SELECT @current_hostname,'' FROM dual WHERE @current_hostname != 'localhost';
-
+ INSERT INTO user SELECT * FROM tmp_user_nopasswd WHERE @had_user_table=0 AND @skip_auth_root_nopasswd IS NULL;
+ INSERT INTO user SELECT * FROM tmp_user_socket WHERE @had_user_table=0 AND @auth_root_socket IS NOT NULL;