Skip to content
This repository has been archived by the owner on Nov 8, 2019. It is now read-only.

MariaDB script doesn't setup root password properly #190

Open
sourcejedi opened this issue Mar 20, 2016 · 0 comments
Open

MariaDB script doesn't setup root password properly #190

sourcejedi opened this issue Mar 20, 2016 · 0 comments

Comments

@sourcejedi
Copy link
Contributor

I.e. loopback logins are possible without the root password. Logins from outside loopback are not permitted btw. So the root password we set up is pointless. (As well as the root user being pointless because the DB user is granted full permission anyway).

Contrast this code

mysqladmin -u root password "$ROOT_PASS"

with the "official" image:

        "${mysql[@]}" <<-EOSQL
            -- What's done in this file shouldn't be replicated
            --  or products like mysql-fabric won't work
            SET @@SESSION.SQL_LOG_BIN=0;
            DELETE FROM mysql.user ;
            CREATE USER 'root'@'%' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
            GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ;
            DROP DATABASE IF EXISTS test ;
            FLUSH PRIVILEGES ;
        EOSQL

As a result:

$ docker run mariadb bash
$ scripts/start.sh &
$ mysql -h $(hostname) -u root
Welcome to the MariaDB monitor.  Commands end with ; or \g.

It's due to the second line of the users table shown below. Note that 39264fcde276 was the randomly generated hostname for the docker container.

> select * from mysql.user;
| localhost    | root   | *EB772E0052174D3F1D29BED13D410A4B2B0E23B8 | ...
| 39264fcde276 | root   |                                           | ...
| 127.0.0.1    | root   |                                           | ...
| ::1          | root   |                                           | ...
| localhost    |        |                                           | ...
| 39264fcde276 |        |                                           | ...
sourcejedi added a commit to sourcejedi/Fedora-Dockerfiles that referenced this issue Mar 23, 2016
@sourcejedi
mariadb: simplify: 'root'@'localhost' password serves no purpose
532c7de 
mysqld is the only process on localhost.

Unprivileged remote mysql users should not be able to spoof as localhost.
If they can, something has gone very wrong, and it's quite possible they
could bypass the mysql root password anyway.

It might still be useful to have a separate root user, and it doesn't look
like it hurts to leave it around.

Closes issue fedora-cloud#190.
@sourcejedi sourcejedi mentioned this issue Mar 23, 2016
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sourcejedi