Hello,
playing around with the latest MySQL from Rawhide, I noticed, that there is
a bug or a problem in the new MySQL init script.
My "problem" was, that I set a password to the MySQL user 'root' and so
the
original new init script fails.
I posted that at bugzilla, my posting is closed now, because supposedly all
works fine and it isn't a problem...
I personally think that's a brashness!
It is a pity, that the bugzilla report only can be read by the group
'rhnpm', so I was so free to post it here again ;-)
BTW: The original report was: #108779
If I read all correctly you don't need a password for the MySQL user 'root'
- that's fine and it's no security hole - really nice! :-/
On a test system installed Fedora Core 1 with the actual mysql - NOTHING
changed:
mysql> SELECT HOST,USER,PASSWORD FROM user;
+-------------+------+----------+
| HOST | USER | PASSWORD |
+-------------+------+----------+
| localhost | root | |
| sirendipity | root | |
| localhost | | |
| sirendipity | | |
+-------------+------+----------+
4 rows in set (0.01 sec)
$ netstat -alpen | grep mysql
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 0 346662
19079/mysqld
It's good to know, that here isn't any security problem, too.
10.0.0.2 = sirendipity
# mysql -h 10.0.0.2 -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 3.23.58
So root has still to set a password as you can read it at SecurityFocus:
http://www.securityfocus.com/infocus/1726
I actually interpret the current default configuration of mysql and the
init script absolutely as misconfiguration.
In my eyes NOTHING is okay - that doesn't fit to the other Red Hat security
patches and settings!
So what's up?! Could someone explain me, why with my message so wrongly did
to me?
--- snipp from Bugzilla #108779 ---
Opened by (Robert Scheck) on 2003-11-01 16:56
Description of problem, how reproducible and steps to reproduce:
# service mysqld restart
Stopping MySQL: [ OK ]
Timeout error occurred trying to start MySQL Daemon.
Starting MySQL: [FAILED]
#
It displays only an error, but mysqld lives!
Version-Release number of selected component (if applicable):
mysql-3.23.58-4
Actual results:
If I do a mysqladmin ping at my system I get the following:
# mysqladmin ping
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user: 'root@localhost' (Using password: NO)'
#
I've to use a password:
# mysqladmin -u root -p ping
Enter password:
mysqld is alive
#
Or I've to use the MySQL user:
# mysqladmin -u mysqld ping
mysqld is alive
#
Expected results and additional info:
The error is caused by that section:
# Spin for a maximum of ten seconds waiting for the server to come
up
if [ $ret -eq 0 ]; then
for x in 1 2 3 4 5 6 7 8 9 10; do
if [ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]; then
break;
else
sleep 1;
fi
done
if !([ -n "`/usr/bin/mysqladmin ping 2> /dev/null`" ]); then
echo "Timeout error occurred trying to start MySQL Daemon."
action $"Starting $prog: " /bin/false
else
action $"Starting $prog: " /bin/true
fi
else
action $"Starting $prog: " /bin/false
fi
You can't do that so - you've seen it above!
I added a new init script solving that problem.
And I think it's ugly to use "2> /dev/null" at a Bash script...
---
Additional Comment #1 From Robert Scheck on 2003-11-01 17:02
Created an attachment (id=95652)
Fix for mysqld for /etc/init.d
---
Additional Comment #2 From Kim Ho on 2003-11-03 11:20
I am having problems reproducing this problem.
[root@tomaluk init.d]# service mysqld start
Initializing MySQL database: [ OK ]
Starting MySQL: [ OK ]
[root@tomaluk init.d]# mysqladmin ping
mysqld is alive
[root@tomaluk init.d]#
[root@tomaluk init.d]# service mysqld restart
Stopping MySQL: [ OK ]
Starting MySQL: [ OK ]
[root@tomaluk init.d]# service mysqld stop
Stopping MySQL: [ OK ]
[root@tomaluk init.d]#
The only way I was able to reproduce it was:
mysql> select user,host from user;
+------+----------------------------+
| user | host |
+------+----------------------------+
| | localhost |
| root | localhost |
| |
tomaluk.toronto.redhat.com |
| root |
tomaluk.toronto.redhat.com |
+------+----------------------------+
4 rows in set (0.00 sec)
mysql> delete from user where user='';
Query OK, 2 rows affected (0.00 sec)
mysql> \q
Bye
[root@tomaluk init.d]# mysqladmin ping
mysqld is alive
[root@tomaluk init.d]# service mysqld restart
Stopping MySQL: [ OK ]
Timeout error occurred trying to start MySQL Daemon.
Starting MySQL: [FAILED]
[root@tomaluk init.d]# mysqladmin -u root ping
mysqld is alive
Please let me know if the users in mysql have been changed. (e.g. the
removal of anonymous users)
---
Additional Comment #3 From Robert Scheck on 2003-11-03 11:37
mysql> select user,host from user;
+---------+-----------+
| user | host |
+---------+-----------+
| root | hurricane |
| | localhost |
+---------+-----------+
Well, I only gave root a password...
And it's correct to give mysql-root a password, because that is explicit
written in the mysql documentation!
---
Additional Comment #4 From Robert Scheck on 2003-11-03 11:45
Have a look to the documentation:
http://www.mysql.de/doc/en/Default_privileges.html
---
Additional Comment #5 From Kim Ho on 2003-11-03 14:05
The defaults work fine.
If you change the settings, then you will have to make the appropriate
changes in the scripts.
---
Additional Comment #6 From Robert Scheck on 2003-11-03 15:38
The default works fine, as long as the admin doesn't change the password
for the mysql root user.
But as described in the MySQL admin documentation, everybody _must_ change
this, in order to close a security hole:
Because your installation is initially wide open, one of the first
things you should do is specify a password for the MySQL root user.
You can do this as follows (note that you specify the password
using the PASSWORD() function):
Try mysql -u root. If you are able to connect successfully to the
server without being asked for a password, you have problems.
Anyone can connect to your MySQL server as the MySQL root user with
full privileges! Review the MySQL installation instructions, paying
particular attention to the item about setting a root password.
One solution would be to create a "dummy" mysql user restricted to
localhost and with no rights.
Another solution would be to remove the new changes and to live without a
check whether the mysql server runs or not.
And could you please remove the binding in bugzilla to the group rhnpm?
Thank you very much. I think that's interesting for other users, too.
---
Additional Comment #7 From Kim Ho on 2003-11-03 15:54
No.. if everyone _HAS TO_ change this, it would have been part of
setting up MySQL.
It is not part of the defaults of MySQL and therefore, we will not be
changing it.
--- snapp from Bugzilla #108779 ---
Yours sincerly,
Robert