[pkg-go] Bug#953040: prometheus-mysqld-exporter: Regression on configuration disallows proper use of mysql auth_socket authentication

jynus jynus at jynus.com
Tue Mar 3 17:23:44 GMT 2020 

Package: prometheus-mysqld-exporter
Version: 0.11.0+ds-1+b20
Severity: serious
Justification: Policy 10.9

Dear Maintainer,

After upgrading my MariaDB server boxes to buster, the version of
prometheus mysqld exporter monitoring package stopped working. When
I checked the cause of it, the package logged very usefuly the cause:

no user or password specified under [client] in /var/lib/prometheus/.my.s5.cnf

I checked an my [client] section had a user config, plust a password one, except
it was configured on purpose like this:

password = ''

I confirmed that by adding a fully random password, different from the empty string,
the exporter started working again.

This is because I use socket-based authentication for the prometheus mysqld
exporter user (https://mariadb.com/kb/en/authentication-plugin-unix-socket/),
something that is a best practice in a secure production environement.
In fact, Debian uses socket_auth for the default-created root user, which
makes Debian mariadb installation much more secure.

This issue not only forces users to maintain a password on the filesystem
in clear text (that can be easily stolen or leaked by accident, and reused
for other similarly-configured systems), it overpases the additional checks
of socket-auth, that requires a matching unix acccount with the same name
as that of the mysql account.

This is a regression because auth_socket was working properly on previous
versions of prometheus available on stretch and other OSs. Not only this
breaks existing installations, it also discourages the usage of the avobe
mentioned, more secure authentication mechanism.

If UI-friendly errors are prefered (because people forgets to create or
protect mysql accounts, please allow me to specifically mark "this account
doesn't have a password, and I know what I am doing".

I have not reported this upstream.


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages prometheus-mysqld-exporter depends on:
ii  daemon  0.6.4-1+b2
ii  libc6   2.28-10

prometheus-mysqld-exporter recommends no packages.

Versions of packages prometheus-mysqld-exporter suggests:
pn  default-mysql-server | virtual-mysql-server  <none>

-- no debconf information

More information about the Pkg-go-maintainers mailing list