Comments (3)
This also happens on Debian 9
from mysql-formula.
In fact, this formula does not allow changing root password. I think it's logical because it does not have access to the old and the new password at the same time to change it.
The README says
Debian OS family supports setting MySQL root password during install via debconf.
which I understand like:
- only setting password at install is supported
- and only Debian is supported
But maybe README could be updated to specify it.
from mysql-formula.
Isn't that readme line clear as-is? Debconf and Debian, only on Debian and Debian-alike systems. This is expected behaviour because the MySQL and MariaDB packages on Debian allow setting the initial root password via the DPKG installer's Debconf settings.
This was probably implemented by someone initially adding Debian support or creating the formula.
You can't change the root password for MySQL with only 1 point of storage, i.e. mysql.server.root_password. The MySQL module wouldn't be able to store both the old and the new password and thus won't be able to log in using the old one and then set the new one. This means you would have to store the password twice (as suggested earlier), once on the server for salt-minion to read on login, and once in the pillar. Then it would be able to match the passwords, detect changes, apply them to the server first and then to the local stored password.
This whole setup would be insecure at best and most likely simply not something you'd ever want on a production system. On the other hand, the debian sys maintainer user already does this initially after installation, so if that setup were to be replicated, now insecure would it really be? Also, if you are root on a box, you practically own everything already, so having a plaintext root password file that can only be read by root might not be all that 'less secure' at all, unless there would be a way for a non-root user to exploit a bug and read the file, but then would go for the sys-maint user as well. Tricky stuff.
I'd suggest the following until this is actually resolved:
- don't allow any special root modification to begin with, except for what is already supported
- add a caveat section to the readme explaining the chicken-and-egg problem with the root password
One way to implement this more universally is by using the normal root password recovery method, but you'd still have to check if the current root password differs from the installed root password. This could be done by logging in and checking if it succeeded. If not: use root password recovery to reset it. If the login worked, the password was already good as-is. But then you'd run the risk of adding more and more entries since logging in also depends on the LHOST and RHOST, so you'd have to account for that as well. On top of that, the database will be offline twice while it stops and starts, and in the middle of the password change it will be insecure since 'ignore grant' will be on after the first shutdown-startup loop. Since it is a pretty hard password reset way it should probably come with a warning in the docs, and a special pillar value like 'recover_password' that must be set to true before root password changes are allowed.
Maybe MySQL simply has no 'good' way of managing the root user automatically. It would be great if it had something like Postgres where the postgres local user is also the administrative database user and instead of using a password to ID the user, you would use Unix user ID's on a local socket. Or maybe something like LDAP or GSSAPI...
from mysql-formula.
Related Issues (20)
- 'mysql_database.present' was not found in SLS HOT 3
- Two databases, two pillar files, one minion HOT 2
- Fix empty values in osfamilymap.yaml
- [BUG] RedHat/CentOS state apply with root password fails HOT 4
- [FEATURE] User access for columns HOT 1
- [BUG] Either don't check for my.cnf rights or remove it if symbolic link HOT 2
- [BUG] GRANT SELECT not working for only 1 user on 2 specific databases. Works on others HOT 4
- Specified SLS 'mysql' in environment 'base' is not available on the salt master
- [BUG] Server is installed when only Client is desired HOT 8
- [BUG] Setting mountpoint breaks tplroot HOT 2
- [BUG] Using mysql:host should not check for package/service
- [BUG] Centos 8 - python client for mysql missing HOT 5
- [BUG] Unable to connect to MySQL using CentOS 8 HOT 2
- Last Update BUG HOT 2
- [FEATURE] Use conf.d folder instead of main cnf file, if available on system
- [BUG] MySQL root password vulnerability and proposed fix HOT 1
- [BUG] root_password not set on debian bullseye HOT 1
- [BUG] mysql.client state does not work out of the box HOT 2
- [FEATURE] Please add support for Jammy HOT 1
- [BUG] Arrays being dumped into config file in invalid form.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mysql-formula.