[debian-mysql] Bug#784982: mysql-server: False positive when checking for insecure root accounts

Guilhem Moulin guilhem at guilhem.org
Mon May 11 12:25:13 UTC 2015


Package: mysql-server
Version: 5.5.42-1
Severity: normal

Dear Maintainer,

When checking for insecure root accounts, ‘debian-start.inc.sh’ merely
lists root accounts with an empty password:

    SELECT COUNT(*) FROM mysql.user WHERE user='root' and password='';

However, such an account can be perfectly secure if e.g., it is
associated with the ‘auth_socket’ plugin [1] (the client would have to
connect to Unix socket and use SO_PEERCRED).

The query could be amended as follows:

    SELECT COUNT(*) FROM mysql.user WHERE user='root' and password='' and plugin!='auth_socket';

However some other plugins such as PAM could be considered secure as
well.

Cheers,
-- 
Guilhem.

[0] https://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html
[1] https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20150511/bdec4af6/attachment.sig>


More information about the pkg-mysql-maint mailing list