Hello,
playing around with the latest MySQL from Rawhide, I noticed, that there is a bug or a problem in the new MySQL init script.
My "problem" was, that I set a password to the MySQL user 'root' and so the original new init script fails.
I posted that at bugzilla, my posting is closed now, because supposedly all works fine and it isn't a problem...
I personally think that's a brashness!
It is a pity, that the bugzilla report only can be read by the group 'rhnpm', so I was so free to post it here again ;-)
BTW: The original report was: #108779
If I read all correctly you don't need a password for the MySQL user 'root' - that's fine and it's no security hole - really nice! :-/
On a test system installed Fedora Core 1 with the actual mysql - NOTHING changed:
mysql> SELECT HOST,USER,PASSWORD FROM user; +-------------+------+----------+ | HOST | USER | PASSWORD | +-------------+------+----------+ | localhost | root | | | sirendipity | root | | | localhost | | | | sirendipity | | | +-------------+------+----------+ 4 rows in set (0.01 sec)
$ netstat -alpen | grep mysql tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 0 346662 19079/mysqld
It's good to know, that here isn't any security problem, too.
10.0.0.2 = sirendipity
# mysql -h 10.0.0.2 -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 to server version: 3.23.58
So root has still to set a password as you can read it at SecurityFocus:
http://www.securityfocus.com/infocus/1726
I actually interpret the current default configuration of mysql and the init script absolutely as misconfiguration.
In my eyes NOTHING is okay - that doesn't fit to the other Red Hat security patches and settings!
So what's up?! Could someone explain me, why with my message so wrongly did to me?
--- snipp from Bugzilla #108779 --- Opened by (Robert Scheck) on 2003-11-01 16:56
Description of problem, how reproducible and steps to reproduce: # service mysqld restart Stopping MySQL: [ OK ] Timeout error occurred trying to start MySQL Daemon. Starting MySQL: [FAILED] # It displays only an error, but mysqld lives!
Version-Release number of selected component (if applicable): mysql-3.23.58-4
Actual results: If I do a mysqladmin ping at my system I get the following: # mysqladmin ping mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user: 'root@localhost' (Using password: NO)' #
I've to use a password: # mysqladmin -u root -p ping Enter password: mysqld is alive #
Or I've to use the MySQL user: # mysqladmin -u mysqld ping mysqld is alive #
Expected results and additional info: The error is caused by that section:
# Spin for a maximum of ten seconds waiting for the server to come up if [ $ret -eq 0 ]; then for x in 1 2 3 4 5 6 7 8 9 10; do if [ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]; then break; else sleep 1; fi done if !([ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]); then echo "Timeout error occurred trying to start MySQL Daemon." action $"Starting $prog: " /bin/false else action $"Starting $prog: " /bin/true fi else action $"Starting $prog: " /bin/false fi
You can't do that so - you've seen it above! I added a new init script solving that problem. And I think it's ugly to use "2> /dev/null" at a Bash script...
---
Additional Comment #1 From Robert Scheck on 2003-11-01 17:02
Created an attachment (id=95652) Fix for mysqld for /etc/init.d
---
Additional Comment #2 From Kim Ho on 2003-11-03 11:20
I am having problems reproducing this problem.
[root@tomaluk init.d]# service mysqld start Initializing MySQL database: [ OK ] Starting MySQL: [ OK ] [root@tomaluk init.d]# mysqladmin ping mysqld is alive [root@tomaluk init.d]# [root@tomaluk init.d]# service mysqld restart Stopping MySQL: [ OK ] Starting MySQL: [ OK ] [root@tomaluk init.d]# service mysqld stop Stopping MySQL: [ OK ] [root@tomaluk init.d]#
The only way I was able to reproduce it was:
mysql> select user,host from user; +------+----------------------------+ | user | host | +------+----------------------------+ | | localhost | | root | localhost | | | tomaluk.toronto.redhat.com | | root | tomaluk.toronto.redhat.com | +------+----------------------------+ 4 rows in set (0.00 sec)
mysql> delete from user where user=''; Query OK, 2 rows affected (0.00 sec)
mysql> \q Bye [root@tomaluk init.d]# mysqladmin ping mysqld is alive [root@tomaluk init.d]# service mysqld restart Stopping MySQL: [ OK ] Timeout error occurred trying to start MySQL Daemon. Starting MySQL: [FAILED] [root@tomaluk init.d]# mysqladmin -u root ping mysqld is alive
Please let me know if the users in mysql have been changed. (e.g. the removal of anonymous users)
---
Additional Comment #3 From Robert Scheck on 2003-11-03 11:37
mysql> select user,host from user; +---------+-----------+ | user | host | +---------+-----------+ | root | hurricane | | | localhost | +---------+-----------+
Well, I only gave root a password... And it's correct to give mysql-root a password, because that is explicit written in the mysql documentation!
---
Additional Comment #4 From Robert Scheck on 2003-11-03 11:45
Have a look to the documentation: http://www.mysql.de/doc/en/Default_privileges.html
---
Additional Comment #5 From Kim Ho on 2003-11-03 14:05
The defaults work fine.
If you change the settings, then you will have to make the appropriate changes in the scripts.
---
Additional Comment #6 From Robert Scheck on 2003-11-03 15:38
The default works fine, as long as the admin doesn't change the password for the mysql root user.
But as described in the MySQL admin documentation, everybody _must_ change this, in order to close a security hole:
Because your installation is initially wide open, one of the first things you should do is specify a password for the MySQL root user. You can do this as follows (note that you specify the password using the PASSWORD() function):
Try mysql -u root. If you are able to connect successfully to the server without being asked for a password, you have problems. Anyone can connect to your MySQL server as the MySQL root user with full privileges! Review the MySQL installation instructions, paying particular attention to the item about setting a root password.
One solution would be to create a "dummy" mysql user restricted to localhost and with no rights.
Another solution would be to remove the new changes and to live without a check whether the mysql server runs or not.
And could you please remove the binding in bugzilla to the group rhnpm? Thank you very much. I think that's interesting for other users, too.
---
Additional Comment #7 From Kim Ho on 2003-11-03 15:54
No.. if everyone _HAS TO_ change this, it would have been part of setting up MySQL.
It is not part of the defaults of MySQL and therefore, we will not be changing it. --- snapp from Bugzilla #108779 ---
Yours sincerly,
Robert
Robert Scheck wrote:
playing around with the latest MySQL from Rawhide, I noticed, that there is a bug or a problem in the new MySQL init script.
You're right. The "mysqladmin ping" command should be: /usr/bin/mysqladmin ping -u UNKNOWN_USER 2> /dev/null
Otherwise, mysqladmin will always try to connect as the "root" user, which will almost always (and *should* always) have a password.
I posted that at bugzilla, my posting is closed now, because supposedly all works fine and it isn't a problem...
I personally think that's a brashness!
It might have been a misunderstanding. Hopefully it can be resolved.
If I read all correctly you don't need a password for the MySQL user 'root'
- that's fine and it's no security hole - really nice! :-/
I think the person you contacted was simply testing the "mysqladmin ping" command as a non-root user. As a non-root user, the command will work since it tries to connect anonymously rather than as root. If so, then he was simply unable to reproduce the problem because he was not testing the same way you were.
Description of problem, how reproducible and steps to reproduce: # service mysqld restart Stopping MySQL: [ OK ] Timeout error occurred trying to start MySQL Daemon. Starting MySQL: [FAILED] # It displays only an error, but mysqld lives!
Yep. The script starts msyql properly, but fails to realize this.
You can't do that so - you've seen it above! I added a new init script solving that problem. And I think it's ugly to use "2> /dev/null" at a Bash script...
It's perfectly normal, and appropriate in this case.
-
Gordon Messmer -
Robert Scheck