[debian-mysql] Bug#784982: mysql-server: False positive when checking for insecure root accounts
Guilhem Moulin
guilhem at guilhem.org
Mon May 11 12:25:13 UTC 2015
Package: mysql-server
Version: 5.5.42-1
Severity: normal
Dear Maintainer,
When checking for insecure root accounts, ‘debian-start.inc.sh’ merely
lists root accounts with an empty password:
SELECT COUNT(*) FROM mysql.user WHERE user='root' and password='';
However, such an account can be perfectly secure if e.g., it is
associated with the ‘auth_socket’ plugin [1] (the client would have to
connect to Unix socket and use SO_PEERCRED).
The query could be amended as follows:
SELECT COUNT(*) FROM mysql.user WHERE user='root' and password='' and plugin!='auth_socket';
However some other plugins such as PAM could be considered secure as
well.
Cheers,
--
Guilhem.
[0] https://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html
[1] https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20150511/bdec4af6/attachment.sig>
More information about the pkg-mysql-maint
mailing list