Project

General

Profile

Demande #4688

libérer l'accès root sur mariadb

Added by François Poulain over 3 years ago. Updated almost 3 years ago.

Status:
Résolu
Priority:
Normale
Category:
-
Target version:
Start date:
08/24/2020
Due date:
% Done:

0%

Estimated time:
Difficulté:
2 Facile

Description

Par défaut sous debian moderne root a un log sans mot de passe à mariadb.
Ça semble raisonnable de généraliser ça.
Dmeander le mot de passe à root c'est juste lui casser les nouilles. :)

History

#1

Updated by Quentin Gibeaux over 3 years ago

  • Target version changed from Backlog to Backlog de camp
#2

Updated by François Poulain almost 3 years ago

  • Assignee set to François Poulain

Apparemment la différence ce situe dans /etc/mysql/debian.cnf avec les champs user et passwd. Par contre le fichier commence par un proéminent

# Automatically generated for Debian scripts. DO NOT TOUCH!

Donc la bonne question est : comment faire ça correctement, sauce Debian. Je commence à me plonger dans la doc.

#3

Updated by François Poulain almost 3 years ago

/usr/share/doc/mariadb-server-10.3/README.Debian.gz

* ROOT USER AUTHENTICATION VIA UNIX SOCKET
==========================================
On new installs no root password is set and no debian-sys-maint user is
created anymore. Instead the MariaDB root account is set to be authenticated
using the unix socket, e.g. any mysqld invocation by root or via sudo will
let the user see the mysqld prompt.

You may never ever delete the mysql user "root". Although it has no password
is set, the unix_auth plugin ensure that it can only be run locally as the root
user.

The credentials in /etc/mysql/debian.cnf specify the user which is used by the
init scripts to stop the server and perform logrotation. This used to be the
debian-sys-maint user which is no longer used as root can run directly.

If you have start/stop problems make sure that the /etc/mysql/debian.cnf file
specifies the root user and no password.
#4

Updated by François Poulain almost 3 years ago

Vu comment la conf est traitée dans le packaging, le do not touch semble un peu exagéré. Je vais essayer une modif à la main sur pad-test pour voir.
https://salsa.debian.org/search?utf8=%E2%9C%93&search=debian.cnf&group_id=2326&project_id=32690&scope=&search_code=true&snippets=false&repository_ref=buster&nav_source=navbar

#5

Updated by François Poulain almost 3 years ago

Beh ça pas marche. Je vais essayer de demander aux mainteneurs.

#6

Updated by François Poulain almost 3 years ago

La réponse est venu de l'IRC #mysql sur freenode.

PoluX    Hi. On debian buster I have legacy credential behavior on old installations (i.e. with debian-sys-maint) and I would like to migrate them to the new way of (no password as root on socket). I didn't found in docs how to do so. Any hint? I tried to move user to root and password to empty in debian.cnf but it didn't worked
thumbs    PoluX: just alter the root@localhost user
thumbs    PoluX: you can then get rid of the old debian nonsense
thumbs    !t PoluX root as root
ubiquity_bot    PoluX: If "mysql -u root" only works as the system root user, you might be using the auth_socket plugin. SELECT user, host, plugin FROM mysql.user; and see https://dev.mysql.com/doc/refman/5.7/en/socket-pluggable-authentication.html

thumbs    !m PoluX alter user
ubiquity_bot    PoluX: See https://dev.mysql.com/doc/refman/5.7/en/alter-user.html

PoluX    thumbs: thanks
thumbs    the debian folks really need to stop inventing nonsense and offloading support for their nonsense to other communities
PoluX    thumbs: it works, thanks

Il faut se connecter en root sur mysql et altérer l'user root pour l'authentifier via le plugin unix_socket. Le plus simple pour ça est de prendre les crédentials dans debian.cnf

# mysql -u debian-sys-maint -proot
MariaDB [(none)]> SELECT user, host, plugin FROM mysql.user;
+------------------+-----------+--------+
| user             | host      | plugin |
+------------------+-----------+--------+
| root             | localhost |        |

...

+------------------+-----------+--------+

MariaDB [(none)]> ALTER USER root@localhost IDENTIFIED WITH unix_socket;
Query OK, 0 rows affected (0.051 sec)

MariaDB [(none)]> SELECT user, host, plugin FROM mysql.user;
+------------------+-----------+-------------+
| user             | host      | plugin      |
+------------------+-----------+-------------+
| root             | localhost | unix_socket |

...

+------------------+-----------+-------------+

Suite à quoi on met dans debian.cnf le user=root et password= (rien) .

#7

Updated by François Poulain almost 3 years ago

Suite à quoi on met dans debian.cnf le user=root et password= (rien) .

Ha beh en fait c'est même pas nécessaire. Du coup je ne vais pas propager ce changement de conf douteux qui peu embêter logrotate et/ou systemd, même si dans les Debian modernes c'est ainsi.

#8

Updated by François Poulain almost 3 years ago

  • Status changed from Nouveau to Résolu

Fait sur :

- sympa
- dtc
- adl
- pad
- lamp
- agir
- candidatsfr

Inutile car déjà dans la mode moderne de Debian sur :

- spip
- admin
- cms-dev

Pas possible sur :

- drupal6

Also available in: Atom PDF