[debian-mysql] Bug#435744: mysql-server-5.0: mysqladmin does not update all root passwords

Frédéric Brière fbriere at fbriere.net
Thu Aug 2 22:29:25 UTC 2007 

Package: mysql-server-5.0
Version: 5.0.45-1
Severity: important
Tags: security

(Tagging +security, as this left me with two password-less root MySQL
accounts.)

Since some version between sarge and etch, mysql-server-5.0 now creates
three MySQL root accounts: root at localhost, root@$HOSTNAME and
root at 127.0.0.1.  (Is this documented somewhere?  Upstream only creates
two, according to the manual.)

The (only?) recommended way to change the root password, as stated in
README.Debian, is to use mysqladmin -u root.  This, however, will only
modify the password of root at localhost, and leave the other two as they
were.  (In my case, since I installed using etch before upgrading to
sarge, I ended up with two password-less root accounts that I wasn't
aware of, until my next reboot when your check script flagged them.)

I'm not all too familiar with the finer working points of MySQL, but is
there a need for creating all three root accounts by default?  Could
this either be skipped, or made optional?  Are there any situations
where root at localhost will not work?

Failing that, README.Debian should be updated to either intruct to run
mysqladmin thrice, or ditch it and run SQL commands directly (SET
PASSWORD or UPDATE).


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-1-k7 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mysql-server-5.0 depends on:
ii  adduser                 3.104            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.14           Debian configuration management sy
ii  libc6                   2.6-5            GNU C Library: Shared libraries
ii  libdbi-perl             1.57-1           Perl5 database interface by Tim Bu
ii  libgcc1                 1:4.2.1-1        GCC support library
ii  libmysqlclient15off     5.0.45-1         MySQL database client library
ii  libncurses5             5.6+20070716-1   Shared libraries for terminal hand
ii  libreadline5            5.2-3            GNU readline and history libraries
ii  libstdc++6              4.2.1-1          The GNU Standard C++ Library v3
ii  libwrap0                7.6.dbs-14       Wietse Venema's TCP wrappers libra
ii  lsb-base                3.1-24           Linux Standard Base 3.1 init scrip
ii  mysql-client-5.0        5.0.45-1         MySQL database client binaries
ii  mysql-common            5.0.45-1         MySQL database common files
ii  passwd                  1:4.0.18.1-11    change and administer password and
ii  perl                    5.8.8-7          Larry Wall's Practical Extraction 
ii  psmisc                  22.5-1           Utilities that use the proc filesy
ii  zlib1g                  1:1.2.3.3.dfsg-5 compression library - runtime

Versions of packages mysql-server-5.0 recommends:
ii  mailx            1:8.1.2-0.20070424cvs-1 A simple mail user agent

-- debconf information:
  mysql-server-5.0/really_downgrade: false
  mysql-server-5.0/need_sarge_compat: false
  mysql-server-5.0/start_on_boot: true
  mysql-server/error_setting_password:
  mysql-server-5.0/nis_warning:
  mysql-server-5.0/postrm_remove_databases: false
  mysql-server-5.0/need_sarge_compat_done: true

More information about the pkg-mysql-maint mailing list